Is this on 2008 R2 or Windows 7? Shouldn't the event id you're looking for
be 4625 (an account failed to log on) rather than 4771 (Kerberos
pre-authentication failed)?
However, it is not going to tell you "who" attempted to log in under the
admin account - after all, how can it? The Network Information field for
event id 4625, though, should tell you where the logon attempt originated
from, which is as close as you can get.
Here is an example of 4625
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: asdf
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: WIN-R9H529RIO4Y
Source Network Address: 10.42.42.201
Source Port: 53176
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
You could use a command-line tool like dumpel to help with this, but
PowerShell should allow you to parse event logs quite easily and pull out
the required information.
Cheers,
JR
On 9 May 2013 09:36, Liby Philip Mathew <[email protected]> wrote:
> Hi kz,****
>
> Thank you for your quick response.****
>
> “Audit account logon events” for failure is enabled and it is logging the
> event 4771. But, I cannot find who attempted the login. It mentions only
> the IP which cannot be taken for granted as the IP’s are from DHCP. Are
> you aware of any scripts which I can use?**
>
> ** **
>
> ** **
>
> *From:* [email protected] [mailto:
> [email protected]] *On Behalf Of *[email protected]
> *Sent:* Thursday, May 09, 2013 09:48
> *To:* [email protected]
> *Subject:* Re: [NTSysADM] Non-admin login alert****
>
> ** **
>
> Audit the events on the DC or the file share, and then use a script or
> piece of software to generate a report on a daily/weekly basis?****
>
> Sent from my Blackberry, which may be an antique but delivers email
> RELIABLY****
> ------------------------------
>
> *From: *Liby Philip Mathew <[email protected]> ****
>
> *Sender: *[email protected]****
>
> *Date: *Thu, 9 May 2013 06:42:15 +0000****
>
> *To: *[email protected]<[email protected]>****
>
> *ReplyTo: *[email protected] ****
>
> *Subject: *[NTSysADM] Non-admin login alert****
>
> ** **
>
> HI,****
>
> Is there a way to get alerted when a normal user tries to login to a
> domain or access file server resources with domain\administrator account?*
> ***
>
> ****
>
> Disclaimer ****
>
> [The information contained in this e-mail message and any attached files
> are confidential information and intended solely for the use of the
> individual or entity to whom they are addressed. This transmission may
> contain information that is privileged, confidential or exempt from
> disclosure under applicable law. If you have received this e-mail in error,
> please notify the sender immediately and delete all copies. If you are not
> the intended recipient, any disclosure, copying, distribution, or use of
> the information contained herein is STRICTLY PROHIBITED. Path Solutions
> accepts no responsibility for any errors, omissions, computer viruses and
> other defects.]****
>
> P *Protect our planet: Do not print this email unless necessary.** *
>
--
*James Rankin*
Technical Consultant (ACA, CCA, MCTS)
http://appsensebigot.blogspot.co.uk
