It's my understanding that 4625 is logged on the client machine, not the DC. I would suggest monitoring the domain controllers and 4771 or 4768 are correct for this type of logon activity. It should list the information you are looking for
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771 http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4768 http://forum.ultimatewindowssecurity.com/Topic473-279-1.aspx Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected] The Guardian Life Insurance Company of America www.guardianlife.com From: James Rankin <[email protected]> To: [email protected] Date: 05/09/2013 04:55 AM Subject: Re: [NTSysADM] Non-admin login alert Sent by: [email protected] Is this on 2008 R2 or Windows 7? Shouldn't the event id you're looking for be 4625 (an account failed to log on) rather than 4771 (Kerberos pre-authentication failed)? However, it is not going to tell you "who" attempted to log in under the admin account - after all, how can it? The Network Information field for event id 4625, though, should tell you where the logon attempt originated from, which is as close as you can get. Here is an example of 4625 An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: asdf Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: WIN-R9H529RIO4Y Source Network Address: 10.42.42.201 Source Port: 53176 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 You could use a command-line tool like dumpel to help with this, but PowerShell should allow you to parse event logs quite easily and pull out the required information. Cheers, JR On 9 May 2013 09:36, Liby Philip Mathew <[email protected]> wrote: Hi kz, Thank you for your quick response. “Audit account logon events” for failure is enabled and it is logging the event 4771. But, I cannot find who attempted the login. It mentions only the IP which cannot be taken for granted as the IP’s are from DHCP. Are you aware of any scripts which I can use? From: [email protected] [mailto: [email protected]] On Behalf Of [email protected] Sent: Thursday, May 09, 2013 09:48 To: [email protected] Subject: Re: [NTSysADM] Non-admin login alert Audit the events on the DC or the file share, and then use a script or piece of software to generate a report on a daily/weekly basis? Sent from my Blackberry, which may be an antique but delivers email RELIABLY From: Liby Philip Mathew <[email protected]> Sender: [email protected] Date: Thu, 9 May 2013 06:42:15 +0000 To: [email protected]<[email protected]> ReplyTo: [email protected] Subject: [NTSysADM] Non-admin login alert HI, Is there a way to get alerted when a normal user tries to login to a domain or access file server resources with domain\administrator account? Disclaimer [The information contained in this e-mail message and any attached files are confidential information and intended solely for the use of the individual or entity to whom they are addressed. This transmission may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you have received this e-mail in error, please notify the sender immediately and delete all copies. If you are not the intended recipient, any disclosure, copying, distribution, or use of the information contained herein is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for any errors, omissions, computer viruses and other defects.] P Protect our planet: Do not print this email unless necessary. -- James Rankin Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
<<image/jpeg>>
