How to find the source of failed logon attempts

Logon events are one of the prime events that need to be monitored in Active Directory. The reason is obvious. Logon events help detect security risks in multiple ways. For example, an employee who logs in from their workstation long after business hours could be a potential insider threat.

Even a failed logon could be flagging a security threat. A user who failed to logon could simply have forgotten their password, but it could also be someone who is trying to break into a legitimate user account. In such cases, it becomes important to trace the the source of the logon attempt. It can be done in native AD using Audit Policy, however ADAudit Plus offers a simpler solution. ADAudit Plus, an Active Directory auditing and reporting tool has 200+ pre-packaged audit reports and failed logon events is one of them. A few clicks and you have detailed reports on all the important Active Directory events.

Here is a comparison on finding the source of failed logon attempts in native AD and using ADAudit Plus.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

This is how ADAudit Plus can help you find the source of failed logon attempts

  • Step 1: Enable 'Audit Logon Policy' in Active Directory.
  • Step 2: Launch ADAudit Plus
  • Find the Reports tab and navigate to User Logon Reports and click on Logon Failures.

    This will generate a detailed report which includes the IP address, logon time, domain controller and the reason for the failed logon. This report will help the administrator decide if the failed logon should be considered a security threat.

Here is how you can find the source of failed logon attempts in native AD.

  • Step 1: Enable 'Audit Logon Events' policy
  • Open 'Server Manager' on your Windows server

  • Under 'Manage', select 'Group Policy Management' to view the 'Group Policy Management Console'.

  • Navigate to forest>Domain>Your Domain>Domain Controllers

  • Either create a new group policy object or you can edit an existing GPO.

  • In the group policy editor, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.

  • In Audit policies, select 'Audit logon events' and enable it for 'failure'.

  • Step 2: Use Event Viewer to find the source of failed logon events

    The Event Viewer will now record an event every time there is a failed logon attempt in the domain. Look for event ID 4625 which is triggered when a failed logon is registered.

    Open Event Viewer in Active Directory and navigate to Windows Logs> Security. The pane in the center lists all the events that have been setup for auditing. You will have to go through events registered to look for failed logon attempts. Once you find them, you can right click on the event and select Event Properties for more details. In the window that opens, you can find the IP address of the device from which the logon was attempted.

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support

Thanks

One of our solution experts will get in touch with you shortly.

    Please enter business email address
  •  
     
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.