Had this problem again today, and in the search for relevant event IDs found a set of Microsoft Tools from 2003 that I can’t believe I’ve not come across earlier.
Download here: Microsoft Account Lockout and Management Tools
The important tools to me,
- LockoutStatus.exe – simply File->Select target, enter short login name. It queries for all DCs – then checks status on all.
- Ok, that would then allow me to grep… err, filter the security event log on the locked DC for what machine made the invalid login request and caused the lockout. But THREE log files… Meh. So we fire up the next tool – EventCombMT.exe Again, what are the event IDs… back to Goog… err, wait – Searchs->Built in Searches –> Account Lockouts
- well not-so-fast, three-digit EventIDs are Sooooo WindowsXP/2003. Back to the Googles after-all. So enter EventID 4740, click Search and you are golden. (in my example below – I’m only searching ITS-DC1 since LockoutStatus shows the last BadPwd was on my PDC Emulator)
- You get two output files in temp, EventCombMT.txt and the more interesting %DCNAME%-Security_LOG.txt – the file gives you the dope you want in columns: Caller Computer Name (NetBIOS name of workstation that entered the final bad password attempt), and of course time, date, and Account Name .