steps taken to discover source of account lockout

*microsoft network monitor with authentication filter to capture pre authentication failures (program files)
*eventcombmt to parse security logs (success and failure) on domain controller event code 644 675 4771 4625 which revealed pre authentication failures and source machine, (logs stored in c:\temp, app in desktop\lockout)
*lockout status to unlock account, (located on desktop\lockout)

used to above to track the lockouts to a server. temporarily disabled kerberos pre authentication until we can work out what on the server is causing the lockouts


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: