Jump to content


Photo

stop lockout issue


  • Please log in to reply
1 reply to this topic

#1 cptkirkh

cptkirkh

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 23 December 2015 - 01:59 PM

I installed lockout examiner on my network.  it seems to emailing me about our administrator account on our domain.  This account is a dummy account with no rights.  It keeps saying that the administrator account is potential usage of stale credentials.  The computer it is saying it is occurring is the server where Lockout Examiner is installed.  How do i solve this?

 

Examining computer MONITOR for potential usage of stale credentials for our domain\administrator…
Examining COM objects ok, nothing found
Examining Windows services… ok, nothing found
Examining scheduled tasks... ok, nothing found
Examining logon sessions... ok, nothing found
Examining invalid logons...
Last 11 invalid logons:
from ::ffff:192.168.1.209 (\\dc2008.cic.scic.com) at 12/22/2015 11:50:31 AM
from ::ffff:192.168.1.209 (\\dc2008.cic.scic.com) at 12/22/2015 11:45:22 AM
from ::ffff:192.168.1.209 (\\dc2008.cic.scic.com) at 12/22/2015 11:40:13 AM
from ::ffff:192.168.1.209 (\\dc2008.cic.scic.com) at 12/22/2015 11:35:04 AM
from ::ffff:192.168.1.209 (\\dc2008.cic.scic.com) at 12/22/2015 11:29:55 AM
from ::ffff:192.168.1.209 (\\dc2008.cic.scic.com) at 12/22/2015 11:24:47 AM
from ::ffff:192.168.1.209 (\\dc2008.cic.scic.com) at 12/22/2015 11:19:38 AM
from ::ffff:192.168.1.209 (\\dc2008.cic.scic.com) at 12/22/2015 11:14:29 AM
from ::ffff:192.168.1.209 (\\dc2008.cic.scic.com) at 12/22/2015 11:09:21 AM
from ::ffff:192.168.1.209 (\\dc2008.cic.scic.com) at 12/22/2015 11:04:12 AM
from ::ffff:192.168.1.209 (\\dc2008.cic.scic.com) at 12/22/2015 10:59:04 AM
Done


#2 dsmirnov

dsmirnov

    Advanced Member

  • Root Admin
  • PipPipPip
  • 58 posts
  • Gender:Male

Posted 23 December 2015 - 02:48 PM

cptkirkh,

 

Basically Account Lockout Examiner just reads lockout events and invalid logon events from you DCs and reports data found in the events.

The name of the machine causing lockouts is get from the Caller machine name field of lockout event.

 

From on the Examination results it looks like there are invalid logons for the Administrator account coming from the machine with IP 192.168.1.209. Most likely there is something on the machine using the account name to authenticate.

 

To get more details you need to have Logon auditing enabled on the machine, this will allow invalid logon events generated, which would specify the reason and probably the process generating those events.

It is event ID 4625 found in Security log.






0 user(s) are reading this topic

0 members, guests, anonymous users