Jump to content


Finding the AD issue with MANY admin failed logins

  • Please log in to reply
1 reply to this topic

#1 SCADAman29325



  • Members
  • Pip
  • 2 posts

Posted 03 December 2018 - 12:32 PM

I've got a newly installed Logon Activity monitor that sends me an email each morning. From the start there has been MANY logon failures for an admin acct (and there a few users that are having the same issue, I'll stay focused on the admin issue.)


How can I determine where the failed logins are coming from. It shows that the workstation is domain controller server, 



Cause: Pre-authentication information was invalid: usually means bad password.

This entry represents 60 matching events occurring within 600 seconds.


It appears there is a program set to activate, but the admin user/pw is invalid, but I can't find where it is coming from.


Is there help out there for me?


TIA, Phil.

Phil Hasty

City of Clinton


#2 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 140 posts
  • Gender:Male

Posted 03 December 2018 - 01:28 PM

Hi there,


The "Caller Computer Name" of 4740 event id my help you to figure out originating server:



4740 event is replicated with PDC, in order to identify PDC, you may run the following command in the command prompt:
netdom query fsmo
Open security event log on PDC, filter by 4740 and find the locked user account across those events.

Best regards,
Forum Engineer

0 user(s) are reading this topic

0 members, guests, anonymous users