Track Down Active Directory Attack Attempts

Track Down Active Directory Attack Attempts

A large number of failed logon attempts within a short span of time usually indicates a security threat. This is why, it is essential for administrators to keep an eye out for such events and get to the root of the source of the failed logons. This article takes you through the steps of how to perform failed logon auditing using Microsoft's native tools.


Tracking the Source of Failed Logon Attempts 

  1. Run gpmc.msc to open the Group Policy Management Console.

  1. In the Group Policy Management Editor, edit the domain’s Default Domain Policy by right-clicking on it.

  1. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy and double-click Audit Logon Events.

  1. In the Audit Logon Event Properties, toggle to the Security Policy Setting tab and select Success.

  1. Open the Command Prompt and run the command gpupdate/force to update Group Policy.

  1. To get to know about the failed logon events, filter the Security Event Log for Event ID 4625.

  1. Double-click on any event to see details of the source from where the failed logon attempts originated. 

Regularly monitoring unsuccessful logon attempts by looking into the event logs is crucial for ensuring the security of your Active Directory environments. 

    • Related Articles

    • How to Track Down Inactive Users in Active Directory

      Failing to keep check of inactive users in your Active Directory environment can pose potential security risk in addition to the space that it takes up on your database. Compliance audits like the SOX requires administrators to track down and disable ...
    • How to Spot which Users are Logged in and Track their Logon/Logoff times

      How to Track User Logon and Logoff Events in Active Directory User logon and logoff are events that happen on an everyday basis in an organization. Administrators need to track the user logon and logoff activities as these events also play an ...
    • How to check Active Directory Replication - Explained

      How to Check Active Directory Replication Active Directory replication is a feature that allows the Domain Controllers to share and update the directory data across the forest. This ensures that any change made on a domain controller is propagated to ...
    • Tracking Username and IP Address in Active Directory

      Tracking Username and IP Address in Active Directory In a secure environment such as an organization, the resources being accessed by users must be tracked by the administrators from time to time. This helps in maintaining the security of an ...
    • How to Change Account Lockout Policy using Group Policy Objects in Active Directory

      Changing the Active Directory Account Lockout Policy  Introduction to Active Directory Account Lockout Policy Account lockout policies are used by IT administrators to lock out an Active Directory account after multiple unsuccessful attempts. It is ...