Active Directory

Track the Source of Failed Logon Attempts in Active Directory

 

If you start getting large number of failed login attempts then it could be an indication of a security thread. Here we will see the steps to troubleshoot this issue.

Step 1: First you have to run gpmc.msc to Configure Group Policy Audit Settings

 

Step 2: Then you have to edit domain’s Default Domain Policy which is in the Group Policy Management Editor.

 

Step 3: Now you have to expand computer configuration->Windows Settings->Security Settings -> Local Policies -> Audit Policy and then double-click ‘Audit logon events’.

 

Step 4: After that in the Audit logon event properties, you have to select the Security Policy Setting tab and select Success.

 

Step 5: Now open command prompt and then run the command gpupdate/force to update Group Policy.

 

Step 6: To get in detailed about the failed logon events, filter the Security Event Log for Event ID 4625.

Step 7: Now double-click on the event to see details of the source from where the failed logon attempts were made.

 

Windows Event ID 4625: An account failed to log on

From security point of view we can say that this is a useful event because it documents each and every failed attempt to logon to the local computer apart from this logon type, location and type of account.

Get in detailed here: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

For more information, please refer to the following links:

How to Troubleshoot Account Lockout in Active Directory:
http://expert-advice.org/active-directory/how-to-troubleshoot-account-lockout-in-active-directory/

Common Causes for Account Lockouts – Resolution and Troubleshooting Steps:
http://expert-advice.org/active-directory/common-causes-for-account-lockouts-resolution-and-troubleshooting-steps/

Leave a Reply

Your email address will not be published. Required fields are marked *