How to track the source of failed logon attempts in Active Directory

KB ID 0001209 

Problem

If a large number of failed logon attempts occur within a certain period of time it could be an indication of a security threat, which is why it is important that organizations have a pro-active means of auditing and monitoring whenever this happens. There are a number of ways you can perform this audit, one of which is using the native tools. Here we will take you through the steps so that you know how to perform this audit when required:

Solution

  1. Run gpmc.msc to Configure Group Policy Audit Settings

Picture1

  1. Edit domain’s Default Domain Policy in the Group Policy Management Editor.

Picture2

  1. Expand Computer Configuration>Windows Settings>Security Settings > Local Policies > Audit Policy and double-click ‘Audit logon events’.

Picture3

  1. In the Audit logon event properties, select the Security Policy Setting tab and select Success.

Picture4

  1. Open command prompt and run the command gpupdate/force to update Group Policy.

Picture5

  1. To know about the failed logon events, filter the Security Event Log for Event ID 4625.

Picture6

  1. Double-click on any event to see details of the source from where the failed logon attempts were made.

Picture7

Conclusion

Regularly auditing failed logon attempts through monitoring your Security event logs is necessary for ensuring security and stability of Active Directory environments. Native tools allow you to view these Security event logs but it is perhaps not the most pro-active or user-friendly method. Many organizations find that it makes more sense to deploy an automated solution, like LepideAuditor Suite – Active Directory that provides in depth reporting and real time alerting.

Author: PeteLong

Share This Post On

5 Comments

  1. Hmm… This gives you the origin of the logon attempt but does not give you the source In my case, I know what machine the logon attempts are coming from but I cannot determine the source of those logon attempts.

    There are no NTServices running with those credentials. No tasks in Task Scheduler. SQLAgent doesn’t run on this machine so it isn’t a MSSQLSRVR task. I’ve scoured the registry for the account name in question and nothing turns up; I have not yet searched by SID. I deleted the user’s profile from the machine via System Properties | User Profiles. And yet these failed logon attempts persist and I can find nothing in the Event Log that provides me any additional detail other than the machine where these attempts originate from.

    Post a Reply
    • On my case the network information doesn’t show up on the event viewer

      Post a Reply
    • Hello Andrew, did you ever find the source of the failed logon attempts?

      I am troubleshooting a similar issue, I know the source system of the failed network logon attempts, but can find nothing on the source system that’s using the bad credentials.

      Post a Reply
  2. Me three! Spent 3 hours trying to kill it.

    Post a Reply
  3. What if you have an account getting locked out every 30-60 seconds and the DC doesn’t show any failed login attempts? Auditing is turned on, and I’ve never had a problem tracking down failed logins before.

    Post a Reply

Leave a Reply to RickkeeC Cancel reply

Your email address will not be published. Required fields are marked *