How to track the source of failed logon attempts in Active Directory

Advertisement

KB ID 0001209 Dtd 23/06/16

Problem

If a large number of failed logon attempts occur within a certain period of time it could be an indication of a security threat, which is why it is important that organizations have a pro-active means of auditing and monitoring whenever this happens. There are a number of ways you can perform this audit, one of which is using the native tools. Here we will take you through the steps so that you know how to perform this audit when required:

Solution

  1. Run gpmc.msc to Configure Group Policy Audit Settings

Picture1

  1. Edit domain’s Default Domain Policy in the Group Policy Management Editor.

Picture2

  1. Expand Computer Configuration>Windows Settings>Security Settings > Local Policies > Audit Policy and double-click ‘Audit logon events’.

Picture3

  1. In the Audit logon event properties, select the Security Policy Setting tab and select Success.

Picture4

  1. Open command prompt and run the command gpupdate/force to update Group Policy.

Picture5

  1. To know about the failed logon events, filter the Security Event Log for Event ID 4625.

Picture6

  1. Double-click on any event to see details of the source from where the failed logon attempts were made.

Picture7

Conclusion

Regularly auditing failed logon attempts through monitoring your Security event logs is necessary for ensuring security and stability of Active Directory environments. Native tools allow you to view these Security event logs but it is perhaps not the most pro-active or user-friendly method. Many organizations find that it makes more sense to deploy an automated solution, like LepideAuditor Suite – Active Directory that provides in depth reporting and real time alerting.

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *