Database Search

match allmatch any Look in all areasLook in current areas Check all datesPrevious dayPrevious 3 daysPrevious weekPrevious fortnightPrevious monthPrevious 2 monthsPrevious 3 monthsPrevious half-yearPrevious year

TechHome

• !!For grabbing IP addresses, also see...
• Automate DHCP Server
• Change from Static IP Address to DHCP
• Change IP Address Automatically
• Determine External IP Address
• Get Extended IP Address Data
• Get IP address of Workstation that Locked out an NT account
• Get MAC Address (Reg Method)
• Get MAC Address
• Get System IP and File Append
• How to Change a Remote IP Address
• How to Check if TCP IP is Installed
• IP Detector and Email Notification
• Look for the Bound IPs
• Massive IP Address Change
• Net Configuration Sample Code
• NT 4.0 IP Address Translation
• Run Winipcfg Write Output Parse Output
• Scan a Local Subnet for IP and Log
• Subnet Calculations
• TCP Port Status Script
• Using WinIpCfg and Grabbing IP with FileRead
• WinItemNameId and IP address

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

How to Get the IP Address of the Workstation that Locked Out an NT Account

Keywords:   IP Address locked out account NT event log

---

Question:

How can I get the IP address of the workstation that locked out an NT account? I looked through the NT/XP/2000 extender but didn't see anything. Any one know of a way?

Answer:

Basically look in the event log for logon/logoff events and see if anything is in there.

1st of all check your security eventlogs on your DC's. If your not logging logon and logoff's you might want to talk to your server admin about lack of security logging. The security logs will tell you when your user logged on, which workstation, and when he was logged off and when his account was locked out. If you cant get your admin to start that kind of logging then you might try the next paragraph.

Look for a WINS entry in your WINS database for his userid. You can find out which workstation he's logonto there.... I really dont think that it's however.. What I believe it may be is a network application that's tied into the NT Domain security. This application is configured for PW1, and he had to change it and now his LAN password is PW2 and it did not sync properly, or his client software is still configured with PW1. Key thing to search for here are service accounts running on the workstations(NT). If his workstation is a WIN311/95/98 machine look for *.pwl files on the workstation and delete any that pertain to his userid. If you still cannot get any assistance from your admin try the next paragraph and let him/her know what an asshole of an admin he/she is....

If your workstations are NT machines start all the messenger services, if they are WIN95/98 get and install WINPOPUP. It's a program that's a part of windows. From your workstation type in "NET SEND useridinquestion messagestuff" without the "" of course. Once you've done that run arround to all the PC's and look for the messagestuff poped up on the screen. Everywhere where messagestuff poped up he's logged onto that machine in either a service or program type logon.

I had this happen to me some time ago with Microsoft SNA Server client..... This was one hell of a problem to figure out. One of my trainees configured SNA Server to log on as a serivce with his USERID and password, and when his password changed everything went to hell for a while.....

---

Article ID:   W15304

File Created: 2002:09:05:13:51:14

Last Updated: 2002:09:05:13:51:14