ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to get a list of all domain accounts that failed a logon attempt in the last 24 hours?
CF


Member

Posts: 8
Date: May 24, 2012
How to get a list of all domain accounts that failed a logon attempt in the last 24 hours?
Permalink  
 


Fellas,

We're in a bit of a fix here, as we've noticed what appears to be some  password guessing activity going on in our environment. We're not sure if its our folks legitimately forgetting their passwords, or if its some virus or tool that's trying logon attempts against some of our DCs.

So we're trying to put together a ist of all domain accounts that failed a logon attempt in the last 24 hours. I know this conceptually sounds not very difficult, but we're not sure how to get this info.

Any ideas as to how one could easily get a lsit of all such domain accounts i.e. ones who may have failed a logon attempt in the last 24 hours?

Thanks.

-CF



__________________

My little dot on the web - Auditing Security in the Active Directory

 



Member

Posts: 21
Date: Jun 27, 2012
RE: How to get a list of all domain accounts that failed a logon attempt in the last 24 hours?
Permalink  
 


Hi CF,

Nice avatar - I can't wait till Friday myself

Hey, I think what you need to do is view the badPasswordTime attribute of all domain user accounts on all domain controllers in the domain, then compare them to get the latest values, and finally see which of them had a failed logon in the last 24 hours.

You need to get these values from all DCs because this attribute is unfortunately not replicated.

Here's quoting Microsoft as well - 

The badPasswordTime value stores the last time that the user, computer, or service account submitted a password that did not match the password on the authenticating domain controller This property is stored locally on each domain controller that is in the domain. A value of 0 means that the last incorrect password time is unknown. For an accurate value for the user's last incorrect password time in the domain, you must query each domain controller that is in the domain; the largest one is the accurate value.

So, just a matter of binding to each DC, getting the badPasswordTime attribute for all each user account, then comparing all the values for each user to see which ones had a failed logon attempt in he last 24 hours.

Cheers,

Geoffrey



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.

CF


Member

Posts: 8
Date: Jun 29, 2012
RE: How to get a list of all domain accounts that failed a logon attempt in the last 24 hours?
Permalink  
 


Geoffrey,

Ah, I see, it's just a matter of...

binding to each DC, getting the badPasswordTime attribute for all each user account, then comparing all the values for each user to see which ones had a failed logon attempt in he last 24 hours

... is it? So simple yeah?! I could do it while enjoying my Corona, yeah?

Common man, you've got to give me something better than that! I'm not about to sit down and script this myself. I'm sure there are some easier ways to do this.

So, impress me with something I can offer you my beer for. No, just a matter of breaking my head on something so tedious and intensive.

Thanks man!

CF

 



__________________

My little dot on the web - Auditing Security in the Active Directory

 



Member

Posts: 21
Date: Jan 18, 2013
How to get a list of all domain accounts that failed a logon attempt in the last 24 hours?
Permalink  
 


CF,

I was going to point you some free tools that you could use to get a list of all domain accounts that failed a logon attempt in the last 24 hours, but since yuo've asked me to impress you, I'd suggest you check this tool out.  (If this doesn't impress you, I don't know what will )

The quickest way I know of to get a list of all domain accounts that failed a logon attempt in the last 24 hours, is to use reprot #11 of the Security Audit Reports capability of this tool. All you need to do is touch a button, and in within seconds you'll have your answer!

Now, where's my beer mate?

- Geoffrey.



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me