PsLogList is a clone of elogdump except that PsLogList lets you login to remote systems in situations your current set of security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log you view resides. Installing PsTools. PsTools uses a familiar syntax if you are already used to using a command-line in Windows. Simply open an elevated Command Prompt in the directory where PsTools was unzipped. Using your elevated Command Prompt, type psexec and hit enter. You should be prompted for the EULA of the Sysinternals Suite of software. Sep 19, 2013 Hey guys, Having some trouble running the PsLoggedon tool in PStools, on some of our graphics stations here. It was working perfectly up until a few weeks ago, now when it is run it is showing every user that has ever logged on with an value as their log on.
PsLogList
- Easy Deploy is a front end GUI for PsExec (from Sysinternals). Easy Deploy was developed as a personal project to make my tasks at work easier and more efficient (when I was working as a computer technician). It’s an easy to use client for the popular command-line utility PsExec.
- Remote Windows PC Enumeration with PSTools. PS Tools is a all in one collection of 13 tools developed by Mark Russinovich. All tools are command line (cmd) based tools that let you execute processes on remote systems and redirect console applications’ output to the local system so that these applications appear to be running locally.
The Resource Kit comes with a utility, elogdump,that lets you dump the contents of an Event Log on the local or a remotecomputer. PsLogList is a cloneof elogdump except that PsLogListlets you login to remote systems in situations your current set of securitycredentials would not permit access to the Event Log, and PsLogListretrieves message strings from the computer on which the event log youview resides.
Installation
-Shutdown.png?version=5&modificationDate=1452130576647&api=v2 "What is a user guide")
Copy PsLogList onto your executablepath and type 'psloglist'.
Usage
The default behavior of PsLogListis to show the contents of the System Event Log on the local computer,with visually-friendly formatting of Event Log records. Command line optionslet you view logs on different computers, use a different account to viewa log, or to have the output formatted in a string-search friendly way.
usage: psloglist [-?] [computer[,computer[,...] | @file[-u username [-p password]]] [-s [-t delimiter]] [-m #|-n #|-h #|-d #|-w][-c][-x][-r][-amm/dd/yy][-b mm/dd/yy][-f filter] [-iID[,ID[,...] | -e ID[,ID[,...]]] [-o event source[,event source][,..]]][-q event source[,event source][,..]]] [-levent log file] <eventlog>
@file | Execute the command on each of the computers listedin the file. |
-a | Dump records timestamped after specified date. |
-b | Dump records timestamped before specified date. |
-c | Clear the event log after displaying. |
-d | Only display records from previous n days. |
-e | Exclude events with the specified ID or IDs (up to 10). |
-f | Filter event types with filter string (e.g. '-fw' to filter warnings). |
-g | Export an event log as an evt file. This can only beused with the -c switch (clear log). |
-h | Only display records from previous n hours. |
-i | Show only events with the specified ID or IDs (up to10). |
-l | Dump records from the specified event log file. |
-m | Only display records from previous n minutes. |
-n | Only display the number of most recent entries specified. |
-o | Show only records from the specified event source (e.g.'-o cdrom'). |
-p | Specifies optional password for user name. If you omitthis you will be prompted to enter a hidden password. |
-q | Omit records from the specified event source or sources(e.g. '-o cdrom'). |
-r | Dump log from least recent to most recent. |
-s | This switch has PsLogListprint Event Log records one-per-line, with comma delimited fields. Thisformat is convenient for text searches, e.g. psloglist | findstr /i text,and for importing the output into a spreadsheet. |
-t | The default delimeter is a comma, but can be overridenwith the specified character. |
-u | Specifies optional user name for login to remote computer. |
-w | Wait for new events, dumping them as they generate. |
-x | Dump extended data. |
eventlog | By default PsLogListshows the contents of the System Event Log. Specify a different eventlog by typing in the first few letters of the log name, application, system,or security. |
Microsoft Active Directory is a core component of your infrastructure, controlling everything from security settings to Group Policy to user authentication. Each user’s Active Directory account controls their access to network drives and other resources, as well as their Windows settings and computer configurations.
To thwart attacks, most organizations set up an account lockout policy for user accounts: As soon as the bad password count for particular user is exceeded, their Active Directory account gets locked. If your audit policy is enabled, you can find these events in the security log by searching for event ID 4740.
To effectively troubleshoot account lockouts, you must enable auditing at the domain level for security events and change some of the settings for the Security event logs as described in the “Active Directory Audit Quick Reference Guide” (link below).
This how-to is extended version of previously posted Account Lockout Troubleshooting Guide by Netwrix from Feb 16, 2016:
https://community.spiceworks.com/how_to/113387-account-lockout-troubleshooting
9 Steps total
Step 1: Microsoft Account Lockout and Management Tools
Microsoft’s Account Lockout and Management Tools include AlTools.exe. Download the AlTools package and install it on your domain controller.
https://www.microsoft.com/en-us/download/details.aspx?id=18465
This package includes the following tools:
* LockoutStatus
* EventCombMT
Step 2: LockoutStatus Tool
This tool displays information about locked-out accounts, including user state and lockout time on each domain controller, and enables you to unlock any account by right-clicking on it. To use the tool:
Run LockoutStatus.exe → From the File menu, select the target → Specify values for Target User Name and Target Domain Name → Click OK.
Step 3: EventCombMT Tool
This tool gathers specific events from several different servers to one central location. To use the tool:
Run EventCombMT.exe → Right-click on Select to search→ Choose Get DCs in Domain → Select the domain controllers to be searched → Click the Searches menu → Choose Built In Searches → Click Account Lockouts → For Windows Server 2008 and above, replace the Event ID field values with 4740 → Click Search.
The output directory will contain the log files for all domain controllers where events with the specified event IDs were found.
Step 4: PowerShell
To filter the event log for events related to a certain account, use this command:
Get-EventLog -LogName Security | ?{$_.message -like '*locked*USERNAME*'} | fl -property *
Alternatively, you can use the PowerShell script from How to Find Account Lockout Source:
https://www.netwrix.com/how_to_find_account_lockout_source.html
Step 5: Netlogon
This Windows Server process authenticates users and other services within a domain, so checking its log can help you investigate persistent lockout incidents. However, the Netlogon logging process can slightly degrade system performance, so be sure to disable it once you have captured the events you need.
To enable Netlogon logging, run the following command:
nltest /dbflag:2080ffff → OK
User Guide Definition
Then restart the Net Logon service. Activity will be logged to %windir%/debug/netlogon.log.
To parse the Netlogon logs, use the following batch script:
type netlogon.log |find /i '0xC000006A“ > bad_password.txt
type netlogon.log |find /i '0xC0000234“ > user_locked.txt
/psexec-ipconfig-command-5c6ef8dc46e0fb0001b68174.png "Guide")
Note that Netlogon logging might affect your system performance. To disable it, run the following command:
nltest /dbflag:0
Step 6: Netwrix Account Lockout Examiner (free tool)
Instead of bushwhacking through cryptic logs and system events, you can use Netwrix Account Lockout Examiner to quickly pinpoint the source of an account lockout.
https://www.netwrix.com/go/ale
To report on all locked, unlocked and manually added accounts, install Netwrix Account Lockout Examiner, defining an account with access to the security event logs during setup. Then take the following steps:
1. From the Netwrix Account Lockout Examiner console, navigate to File → Click Settings → Go to the Managed Objects tab → Click Add → Specify values for the Domain and Domain Controllers fields → Close the settings window.
2. To determine the reason for a lockout, either click the arrow next to the Examine button to get information all the workstations in the specified domain, or click the Examine button to specify a specific workstation.
Step 7: Common Root Causes for Account Lockouts
• Persistent drive mappings with expired credentials
• Mobile devices using domain services like Exchange mailbox
• Service Accounts using cached passwords
• Scheduled tasks with expired credentials
• Programs using stored credentials
• Disconnected Terminal Server sessions
• Active Directory replication issues
• Misconfigured domain policy settings
• Malicious activity, such as password spraying attacks
Step 8: Troubleshooting
• Persistent drive mappings with expired credentials
Use wmic /netuse
Pstools User Guide Manual
• Mobile devices using domain services like Exchange mailbox
Use the Get-ActiveSyncDeviceStatistics PowerShell cmdlet.
• Scheduled tasks with expired credentials
Check Windows task scheduler for tasks that are configured to run using the problematic account.
• Applications or services using cached passwords
Check for a service, tool or application that is trying to run using outdated credentials.
Use Process Hacker or Process Monitor to see the credentials for active processes.
• Programs using stored credentials
Run the following command:
rundll32 keymgr.dll, KRShowKeyMgr
Alternatively, if you are on Windows Server 2008 or above, run the netplwiz application, go to the Advanced tab and then click Manage Passwords.
NOTE that passwords from the SYSTEM context can’t be seen in the normal Credential Manager. To check for these:
1. Download the Microsoft tool PsExec.exe and copy it to C:WindowsSystem32.
2. From a command prompt run: psexec -i -s -d cmd.exe
3. In new CMD window, enter the following: rundll32 keymgr.dll, KRShowKeyMgr
4. Remove items that appear in the list of Stored User Names and Passwords.
• Disconnected Terminal Server sessions
Check for a session with outdated credentials. To kill a RDP session, run following commands at the command prompt:
1. net use server_ip /USER:name password
Replace server_ip, name and password with the necessary credentials. This logs you in to the remote server without using RDP.
2. query session /server:name
Replace “name” with the server’s name. You get the session ID here.
3. reset session id /server:server_ip
This terminates the active session on your remote server.
• AD replication issues
Password updates might not have replicated to all domain controllers. To force replication, run following command on your DC:
repadmin /syncall /AdeP
• Firewall logs, ISA server logs
If your RD gateway server is exposed to the internet, lockouts may indicate brute-force attacks.
• Improperly closed app virtualization session (such as XenApp)
Check and manually stale logoff session
Step 9: Other possible lockout causes
• AD Federation Services — Check for the following:
- New password was not replicated to ADFS
- Brute force and denial of service attacks on ADFS
• DCOM objects — Sometimes a computer requires a restart after a user password is changed in order to apply the setting to DCOM objects that are using those credentials.
• RADIUS server is authenticating WiFi access against AD and the user has an incorrect password.
• Web application is authenticating by attempting to bind to LDAP against a DC and the user's browser has a bad password saved in the Password Manager vault.
Persistent account lockout incidents require prompt investigation. Often, you have to track down the IP address or device name of the source of the lockout. Some common issues can be resolved by checking credential manager, unlocking the account via PowerShell or simply updating your PDC emulator.
This how to is based on original https://www.netwrix.com/account_lockout_quick_troubleshooting_guide.html
:max_bytes(150000):strip_icc()/pstools-extract-5c6efa4dc9e77c000107b544.png "Pstools User Guide")
References
- [Best Practices] Account Lockout Best Practices
- [Best Practices] Password Policy Best Practices
- [Free Tool] Netwrix Account Lockout Examiner
- [Guide] Account Lockout Troubleshooting Quick Reference Guide
- [Guide] Active Directory Audit Quick Reference Guide
0 Comments