Hi there,
Need a quick advice on how to find out the device that causing the failed user authentication, which eventually lock the user account.
(User account not used anymore so it can remain locked)
basically, I noticed that the user account is always locked (user already left us).
When I unlock it to find out what's going on, I found this log when it happened again.
problem is, the entry under source workstation is foreign to me, we never had that machine and was assuming that it was his old laptop.
I looked for it in DHCP lease entries, also ping, but can't find anything.
Just afraid that there's a rouge device somewhere and waiting to wreak havoc on our network.
Thank you for anyone's advice!
------------------------------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/01/2014 1:54:28 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DCSERVER.domain.com
Description:
The domain controller attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: username
Source Workstation: a-non-existent-machine.local
Error Code: 0xc000006a
Event Xml:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
username
a-non-existent-machine.local
0xc000006a