Wednesday, November 01, 2006

HOWTO use logparser to find what machine locked out an account

I've been in a number of organizations where the mystery of who, what, where, when and how an account got locked out is umm, a mystery. This is because the regular login/logout data and other authentication data is bundled in with the 1 or 10 errors per day. The truth is obfuscated by too much data. The biggest problem always appears to be with service accounts, with a number of dependencies on an account.

It turns out it can be relatively simple to right a MS logparser query to hunt out this information. AKA, logparser is your best friend. The second think to note is EventID 644 indicates the event that is written when an account is locked out. The rest is really the details.

  1. install Logparser - Logparser download from Microsoft
  2. Create a file by the name of lockedaccounts.sql at the same directory as your logparser.exe (or add the folder that holds logparser.exe to the path).
    file contents:

    SELECT timegenerated AS TimeLockedout,
    extract_token(strings, 0, '|') As UserName ,
    extract_token(strings, 1, '|') AS OriginatingMachine,
    EventID,
    SourceName,
    Message,
    CASE EventID
    WHEN 529 THEN 'Invalid userid/password'
    WHEN 531 Then 'Account disabled out'
    WHEN 539 Then 'Account locked out'
    WHEN 530 Then 'Outside of logon time'
    WHEN 532 THEN 'Account Expired'
    WHEN 535 THEN 'Password Expired'
    WHEN 533 THEN 'User not from allowed system'
    WHEN 644 THEN 'Account Auto Locked'
    WHEN 540 THEN 'Successful logon'
    ELSE 'Not specified' END AS EventDesc,
    strings
    INTO lockedact.csv
    FROM \\%DOMAINCONTROLER%\Security
    WHERE EventID=644
  3. run the following command: (it has a 90 second run time on ~500,000 remote eventviewer records)
    C:\>logparser file:lockedaccounts.sql?DOMAINCONTROLER=ADOMAINCONTROLER
  1. Open the lockedact.csv file in Excel. Hunt out the account you want to analyze. The Column ‘OriginatingMachine’ is the machine that locked out the account. The other columns are there for info only. Note that EventID 644 is the one you are interested in (http://www.ultimatewindowssecurity.com/events/com264.htm ).

For more (much, much more) on logparser: http://www.logparser.com

For a more elaboration on logparser scripts see my blog entry on logparser here: Logparser examples and more.

Keywords:Windows, Active Directory, how to, HOWTO use Microsoft logpaser to find what machine locked out an account in Windows, what machine locked out an account.

3 comments:

Miguel Sánchez said...

Hi Paul,

I've just learned about LogParser and it is a great tool. I'm usually not using using windows so I wonder if you know how to use LogParser on Linux (or whether there is a Linux version).

Thanks,

Miguel

Paul Cooley said...

Miguel,

Logparser is indeed a powerful tool.
Great question. However, as far as I know there is no port of logparser to linux as of today.

Paul

ed said...

一夜情聊天室,一夜情,情色聊天室,情色,美女交友,交友,AIO交友愛情館,AIO,成人交友,愛情公寓,做愛影片,做愛,性愛,微風成人區,微風成人,嘟嘟成人網,成人影片,成人,成人貼圖,18成人,成人圖片區,成人圖片,成人影城,成人小說,成人文章,成人網站,成人論壇,情色貼圖,色情貼圖,色情A片,A片,色情小說,情色小說,情色文學,寄情築園小遊戲, 情色A片,色情影片,AV女優,AV,A漫,免費A片,A片下載

情色,A片,AIO,AV,日本AV,色情A片,AV女優,A漫,免費A片,A片下載,情色A片,哈啦聊天室,UT聊天室,聊天室,豆豆聊天室,色情聊天室,尋夢園聊天室,080視訊聊天室,080聊天室,080苗栗人聊天室,免費視訊聊天,上班族聊天室,080中部人聊天室,視訊聊天室,視訊聊天,成人聊天室,一夜情聊天室,辣妹視訊,情色視訊,成人,成人影片,成人光碟,成人影城,自拍

A片,AIO,AV,日本AV,色情A片,AV女優,A漫,AIO交友愛情館,線上A片,免費A片,A片下載,情色A片,微風成人,嘟嘟成人網,成人,成人影片,成人光碟,成人影城,成人交友,愛情公寓,色情聊天室,情色貼圖,色情,色情影片,做愛,情色,哈啦聊天室,聊天室,UT聊天室,豆豆聊天室,尋夢園聊天室,080視訊聊天室,080聊天室,080苗栗人聊天室,自拍,性愛

情趣用品,情趣用品,情趣,情趣,A片,A片,情色,A片,A片,情色,情趣用品,情趣用品,A片,A片,情色,情色

情色視訊,美女視訊,辣妹視訊,視訊聊天室,視訊交友網,免費視訊聊天,視訊交友90739,視訊,免費視訊,情人視訊網,視訊辣妹,影音視訊聊天室,視訊交友,視訊聊天,免費視訊聊天室,成人視訊,UT聊天室,聊天室,豆豆聊天室,色情聊天室,尋夢園聊天室,聊天室尋夢園,080聊天室,080苗栗人聊天室,上班族聊天室,小高聊天室

6K聊天室,080中部人聊天室,聊天室交友,成人聊天室,中部人聊天室,情色聊天室,AV女優,AV,A片,情人薇珍妮,愛情公寓,情色,情色貼圖,情色文學,色情小說,色情,寄情築園小遊戲,AIO交友愛情館,情色電影,一葉情貼圖片區,色情遊戲

言情小說,情色論壇,色情網站,微風成人,成人電影,嘟嘟成人網,成人,成人貼圖,成人交友,成人圖片,18成人,成人小說,成人圖片區,微風成人區,成人網站,免費影片,色情影片,自拍,hilive,做愛,微風成人,微風論壇,AIO