I wrote a script that monitors the PDC and logs information in real time
about account lock outs. Works on Windows 2000 haven't tried NT4. When a
user gets locked out I just consult the log.
Dim FSO
Set FSO = Wscript.CreateObject("Scripting.FileSystemObject")
IF FSO.FileExists("\\condat02\database\lan\logs\account
lockouts\LockedOut.log") Then
Set File = FSO.OpenTextFile("UNC Path and file name of where to put
log",8)
Else
Set File = FSO.CreateTextFile("UNC Path and file name of where to put
log")
End If
strComputer = "YourPDCGoesHere"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate, (Security)}!\\" & strComputer &
"\root\cimv2")
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("Select * from __instancecreationevent where TargetInstance isa
'Win32_NTLogEvent' and TargetInstance.EventCode = '644' ")
Do
Set objLatestEvent = colMonitoredEvents.NextEvent
Wscript.Echo "Record No.: " & objLatestEvent.TargetInstance.RecordNumber
Wscript.Echo "Event ID: " & objLatestEvent.TargetInstance.EventCode
Wscript.Echo "Date - Time: " & objLatestEvent.TargetInstance.TimeWritten
& Now
Wscript.Echo "Source: " & objLatestEvent.TargetInstance.SourceName
Wscript.Echo "Category: " & _
objLatestEvent.TargetInstance.CategoryString
Wscript.Echo "Event Type: " & objLatestEvent.TargetInstance.Type
Wscript.Echo "Computer: " & _
objLatestEvent.TargetInstance.ComputerName
Wscript.Echo "User: " & objLatestEvent.TargetInstance.User
Wscript.echo "Text: " & objLatestEvent.TargetInstance.Message
Wscript.Echo
"---------------------------------------------------------------------------
----------------------------"
Wscript.Echo
File.WriteLine "Date - Time: " & now
File.WriteLine "Text: " & objLatestEvent.TargetInstance.Message
File.WriteLine
"---------------------------------------------------------------------------
----------------------------"
File.WriteLine " "
Loop
-----Original Message-----
From: Turner, Robert D. Jr [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 26, 2003 10:38 AM
To: NT 2000 Discussions
Subject: RE: Account lock outs
I believe if you search security log for the event 644 on DCs you will find
out where the domain account is being locked out from. Works for us.
Bob
-----Original Message-----
From: Malcolm Reitz [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 26, 2003 11:03 AM
To: NT 2000 Discussions
Subject: RE: Account lock outs
The easiest way is to ask the user :)
You can also use various tools, such as PSLOGGEDON from www.sysinternals.com
to search for the user's ID coming from another PC.
Malcolm
-----Original Message-----
From: Kim Schotanus [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 25, 2003 8:40 AM
To: NT 2000 Discussions
Subject: RE: Account lock outs
How can you check that Malcolm?
-----Original Message-----
From: Malcolm Reitz [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 25, 2003 15:38
To: NT 2000 Discussions
Subject: RE: Account lock outs
Have you confirmed that the user is not logged on to another computer
besides the one at her desk?
Malcolm
-----Original Message-----
From: Johnny [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 25, 2003 8:34 AM
To: NT 2000 Discussions
Subject: Account lock outs
Hi,
I have an account in a domain that keeps getting locked out every couple of
hours. The group policy for the domain says lock out the account after 5
failed logon attempts. Of course this person is just sitting at her desk.
In her event logs I noticed that routinely she gets the message security
settings in the group policy object applied successfully (paraphrasing
there). I'm not sure if it is after the application of this policy that she
gets locked out. For testing, I bumped up the failed login attempts to 20
and she wasn't locked out this morning.
Is there anythingelse aside from failed login attempts that can lock out and
account? Is this a strong indicator that someone might be trying to figure
out her password or is that just paranoia talking? It only started
happening this past week.
Any help would be appreciated.
Thanks,
John
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to %%email.unsub%%
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to %%email.unsub%%
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to %%email.unsub%%
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to %%email.unsub%%
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the
use of the individual or entity to which it is addressed and
may contain information that is privileged, confidential and
exempt from disclosure under applicable law.
If you have received this communication in error, please
do not distribute and delete the original message.
Please notify the sender by E-Mail at the address shown.
Thank you for your compliance.
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to %%email.unsub%%
*********************************************************************
The information contained in this communication is
confidential, is intended only for the use of the recipient
named above, and may be legally privileged.
If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination,
distribution, or copying of this communication is strictly
prohibited.
If you have received this communication in error,
please re-send this communication to the sender and
delete the original message or any copy of it from your
computer system. Thank You.
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
