
Why Lockout Examiner doesn't try to discover which specific process is sending wrong credentials?
#1
Posted 26 July 2019 - 09:48 AM
#2
Posted 02 August 2019 - 09:24 AM
Hi there,
Q: How do I discover - which program is sending wrong credentials from user1-nbc?
A: It might help to use Process Monitor and filter applications by who:
https://docs.microso...wnloads/procmon
Q: Why Netwrix Account Lockout Examiner doesn't try to discover which specific process is sending wrong credentials?
A: Probably there is a problem in your environment since in my lab it works well.
Q: Also, may be I am wrong, but I noticed that event 4625 is taking place not when some program send wrong credentials, but when the user1 account is already locked out and he try to unlock his workstation from console.
A: That's correct.
Best regards,
Forum Engineer
#3
Posted 02 August 2019 - 10:28 AM
Thank you for reply.
I will try to test Netwrix Account Lockout Examiner in a test lab and see if it try to to find specific process, which is sending wrong credentials. But how does it do it if there is no info about bad process in Event Viewer?
#4
Posted 02 August 2019 - 11:50 AM
Trying to filter events in Process Monitor by my username returns 75000 events. Much better results I get if I just go to Task Manager>details and arrange processes by username. Still nothing for me. The problem is on laptop of top manger. He will not wait while I play with processes for hours. The only way to resolve this problem for me is to make physical to virtual conversion and deploy user1-nbc on virtual machine in test lab together with domain controller and then try to disable services 1 by 1 and see when account will stop locking.
But is there some other more sophisticated way to resolve this? Event 4625 is useless, since it occur when account is already locked. But how Netwrix Account Lockout Examiner try to determine which specific process is sending wrong credentials? If Event viewer is useless - how does it do it?