With Native AD Auditing
With ADAudit Plus
This is how ADAudit Plus can help you find the source of failed logon attempts
Step 1: Enable 'Audit Logon Policy' in Active Directory.
Step 2: Launch ADAudit Plus
Find the Reports tab and navigate to User Logon Reports and click on Logon Failures.
This will generate a detailed report which includes the IP address, logon time, domain controller and the reason for the failed logon. This report will help the administrator decide if the failed logon should be considered a security threat.
Here is how you can find the source of failed logon attempts in native AD.
Step 1: Enable 'Audit Logon Events' policy
Open 'Server Manager' on your Windows server
Under 'Manage', select 'Group Policy Management' to view the 'Group Policy Management Console'.
Navigate to forest>Domain>Your Domain>Domain Controllers
Either create a new group policy object or you can edit an existing GPO.
In the group policy editor, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.
In Audit policies, select 'Audit logon events' and enable it for 'failure'.
Step 2: Use Event Viewer to find the source of failed logon events
The Event Viewer will now record an event every time there is a failed logon attempt in the domain. Look for event ID 4625 which is triggered when a failed logon is registered.
Open Event Viewer in Active Directory and navigate to Windows Logs> Security. The pane in the center lists all the events that have been setup for auditing. You will have to go through events registered to look for failed logon attempts. Once you find them, you can right click on the event and select Event Properties for more details. In the window that opens, you can find the IP address of the device from which the logon was attempted.
Native auditing becoming a little too much?
Simplify Active Directory auditing and reporting with ADAudit Plus.Get Your Free Trial Fully functional 30-day trial