Jump to content


Photo

Finding the AD issue with MANY admin failed logins


  • Please log in to reply
1 reply to this topic

#1 SCADAman29325

SCADAman29325

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 03 December 2018 - 12:32 PM

I've got a newly installed Logon Activity monitor that sends me an email each morning. From the start there has been MANY logon failures for an admin acct (and there a few users that are having the same issue, I'll stay focused on the admin issue.)

 

How can I determine where the failed logins are coming from. It shows that the workstation is domain controller server, 

 

Details:

Cause: Pre-authentication information was invalid: usually means bad password.

This entry represents 60 matching events occurring within 600 seconds.

 

It appears there is a program set to activate, but the admin user/pw is invalid, but I can't find where it is coming from.

 

Is there help out there for me?

 

TIA, Phil.


Phil Hasty

City of Clinton

 


#2 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 55 posts
  • Gender:Male

Posted 03 December 2018 - 01:28 PM

Hi there,

 

The "Caller Computer Name" of 4740 event id my help you to figure out originating server:

https://docs.microso...ting/event-4740

 

4740 event is replicated with PDC, in order to identify PDC, you may run the following command in the command prompt:
netdom query fsmo
 
Open security event log on PDC, filter by 4740 and find the locked user account across those events.

Best regards,
Kirill Kirkov
T2 Support Engineer
 




0 user(s) are reading this topic

0 members, guests, anonymous users