Could You Have Stopped This? Vegas Shooting Analysis with Attorneys on Retainer

[ARCHIVED THREAD] - Question for SYSADMINs

Posted: 2/13/2013 11:53:44 AM EDT

What are you guys using to troubleshoot account lockouts in your domains?

I used to use Symantec Security Information Manager (SSIM), but our server running it has shit the bed and out of warranty. Need something somewhat helpful in isolating the source client locking the account.

I don't have time to comb through 10 DCs reading security logs in a .NET platform with over 1000 logins in one hour... so ideally something free that would parse the event data and store it in a table or report for review.

Any advice?

Posted: 2/13/2013 1:11:54 PM EDT

[#1]

http://www.microsoft.com/en-us/download/details.aspx?id=18465

Posted: 2/13/2013 1:16:08 PM EDT

[#2]

Quoted:
http://www.microsoft.com/en-us/download/details.aspx?id=18465

Use the eventcomb tool in this download.

Posted: 2/13/2013 1:17:39 PM EDT

[#3]

I use account lockout status tool to determine what DC locked it and the exact timestamp.

after that you can use Eventcomb or just manually check security log on that DC for that timestamp

Posted: 2/13/2013 1:22:01 PM EDT

[#4]

Actual sysadmins would be on UNIX. You guys are just messing with the Solitaire playing machine.

;)

Posted: 2/13/2013 1:22:56 PM EDT

[#5]

thanks

Posted: 2/13/2013 1:25:47 PM EDT

[#6]

Quoted:

Actual sysadmins would be on UNIX. You guys are just messing with the Solitaire playing machine.

;)

[ARCHIVED THREAD] - Question for SYSADMINs

Warning

Confirm Action

[ARCHIVED THREAD] - Question for SYSADMINs

[ARCHIVED THREAD] - Question for SYSADMINs