The world's most trusted forum on Active Directory Security
We're in a bit of a fix here, as we've noticed what appears to be some password guessing activity going on in our environment. We're not sure if its our folks legitimately forgetting their passwords, or if its some virus or tool that's trying logon attempts against some of our DCs.
So we're trying to put together a ist of all domain accounts that failed a logon attempt in the last 24 hours. I know this conceptually sounds not very difficult, but we're not sure how to get this info.
Any ideas as to how one could easily get a lsit of all such domain accounts i.e. ones who may have failed a logon attempt in the last 24 hours?
My little dot on the web - Auditing Security in the Active Directory
Nice avatar - I can't wait till Friday myself
Hey, I think what you need to do is view the badPasswordTime attribute of all domain user accounts on all domain controllers in the domain, then compare them to get the latest values, and finally see which of them had a failed logon in the last 24 hours.
You need to get these values from all DCs because this attribute is unfortunately not replicated.
Here's quoting Microsoft as well -
The badPasswordTime value stores the last time that the user, computer, or service account submitted a password that did not match the password on the authenticating domain controller This property is stored locally on each domain controller that is in the domain. A value of 0 means that the last incorrect password time is unknown. For an accurate value for the user's last incorrect password time in the domain, you must query each domain controller that is in the domain; the largest one is the accurate value.
So, just a matter of binding to each DC, getting the badPasswordTime attribute for all each user account, then comparing all the values for each user to see which ones had a failed logon attempt in he last 24 hours.
Wherever you go and whatever you do, may the luck of the Irish be there with you.
Ah, I see, it's just a matter of...
binding to each DC, getting the badPasswordTime attribute for all each user account, then comparing all the values for each user to see which ones had a failed logon attempt in he last 24 hours
... is it? So simple yeah?! I could do it while enjoying my Corona, yeah?
Common man, you've got to give me something better than that! I'm not about to sit down and script this myself. I'm sure there are some easier ways to do this.
So, impress me with something I can offer you my beer for. No, just a matter of breaking my head on something so tedious and intensive.
I was going to point you some free tools that you could use to get a list of all domain accounts that failed a logon attempt in the last 24 hours, but since yuo've asked me to impress you, I'd suggest you check this tool out. (If this doesn't impress you, I don't know what will )
The quickest way I know of to get a list of all domain accounts that failed a logon attempt in the last 24 hours, is to use reprot #11 of the Security Audit Reports capability of this tool. All you need to do is touch a button, and in within seconds you'll have your answer!
Now, where's my beer mate?