****
*
*
*
*







*
*
                                      
*
*
Windows Server



    

How to use the EventCombMT utility to search event logs for account lockouts    

*
*

*
*

How to use the EventCombMT utility to search event logs for account lockouts



Apr
23

How to use the EventCombMT utility to search event logs for account lockouts

http://support.microsoft.com/kb/824209

How to use the EventCombMT utility to search event logs for account lockouts

 

SUMMARY

This article describes how to use the EventCombMT utility (EventCombmt.exe) to search the event logs of multiple computers for account lockouts.

 

MORE INFORMATION

EventCombMT is a multithreaded tool that you can use to search the event logs of several different computers for specific events, all from one central location. You can configure EventCombMT to search the event logs in a very detailed fashion. The following are some of the search parameters that you can specify:

·         Individual event IDs

·         Multiple event IDs

·         A range of event IDs

·         An event source

·         Specific event text

·         How many minutes, hours, or days back to scan

Some specific search categories are built-in, such as Account Lockouts. The Account Lockouts search is preconfigured to include event IDs 529, 644, 675, 676, and 681. Additionally, you can add event ID 12294 to search for potential attacks against the Administrator account.

To download the EventCombMT utility, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E

Note The EventCombMT utility is included in the Account Lockout and Management Tools download (ALTools.exe).

To search the event logs for account lockouts, follow these steps:

1.      Start EventCombMT.

2.      On the Options menu, click Set Output Directory, select an existing folder, or click New Folder to create a new folder to save the output to, and then click OK.

Note If you do not specify an output directory, the default location is C:\Temp.

3.      On the Searches menu, point to Built In Searches, and then click Account Lockouts.

All domain controllers for the domain appear in the Select To Search/Right Click To Add box. Also, in the Event IDsbox, you see that event IDs 529, 644, 675, 676, and 681 are added.

4.      In the Event IDs box, type a space, and then type 12294 after the last event number.

5.      In the Options menu, select Set Date Range.

6.      In the From box, choose your start date and time.

7.      In the To box, choose your end date and time, and then click OK.

8.      Click Search.

9.      To search other computers (non-domain controllers) for account lockout events, right-click the Select To Search/Right Click To Add box, and then click Remove Selected Servers From List. To add computers to search, right-click theSelect To Search/Right Click To Add box, and then click one of the options. For example, to add computers one at a time, click Add Single Server. Click the server or servers that you want to search, and then click Search.

When the query completes, you can view the search results in the output directory that you specified in step 2. You can also import the files into Microsoft Excel. Or, if there is a very large output file, you can import the information into a Microsoft SQL Server database and use queries to evaluate the information.

For more information about the EventCombMT utility, see the Help files that are included with the tool.

 

Article ID: 824209

APPLIES TO

·         Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

·         Microsoft Windows Server 2003, Standard Edition (32-bit x86)

·         Microsoft Windows 2000 Server

 

Keywords:

kbactivedirectory kbwinservds kbhowto KB824209

 

 

http://support.microsoft.com/kb/824209

 

 

 



No TrackBacks

TrackBack URL: http://www.skar.us/site/mt-tb.cgi/3246

Leave a comment








*
*

ebhakt
Author Bio          ★★★★★

Author Name:         ebhakt
Author Location:    India
Author Rank:          Writer
Author Status:        
The Green leave stands!!


*
*
*
*
****



*****



    Desktop
  • eBooks
  • Games
  • Softwares
  • Tools
  • Tweaks
  • Wallpapers
  • Warez
    PDA
  • Games
  • Tools
  • Wallpapers
    System Administration
  • dll Center
  • Scripts
  • Tools
  • .extensions database
  • Write-up
    more...
  • Download Database
  • Jobs
  • Lists
  • Polls
  • Glossary

01000011 01110010 01100001 01100011 01101011 01111010 01101000 01100001 01100011 01101011