Hi guys,
Just as alot of others I experience problems with locked accounts in Active directory.
However, I can not seem to find any thread that helps me with my specific problem. The problem isn't specificly about the account beeing locked itself, but the final stage in the search of the source.
I've come so far as to know from NETLOGON and the eventlogs of my dcs (2008R2), when it happens, also from where. But, and here's the big BUT. The source specified in the logs are my Exchange2010 server wich is'nt the answer im looking for...
I've created a PS script that goes through the eventlogs of the three dcs in the network and collects them in a nice table Like this:
Timestamp Id user Lockout source----------- -- ---- ------
2013-11-11 10:47:21 4740 User1 Exchangeserver
2013-11-11 11:36:51 4740 User2 Exchangeserver
2013-11-11 12:56:14 4740 User3 Exchangeserver
2013-11-11 13:03:20 4740 User4 Exchangeserver
I Know for a fact that user 1, 2, 3 and 4 all have at least one smartphone each and uses active sync to sync mail, contacts and calendar to their respective android/ios device.
So, what im looking for is to resolve "Exchangeserver" to the correct source or specific device. ie. Devicename or Ip/MAC adress.
When i check the W3SVC1 logs on the exchangeserver i cant seem to match the timestamp from them with the eventlog entries on the dcs, the timestamp differs and the lockouts arent marked in the IIS log. Plus the IIS/exchangelogs include all other working devices aswell so i find it hard to match the entry thats causing the lockout.
Is there any good way to do accomplish this? to compaire lockouts from the eventlog with Active sync logs on the exchangeserver?
Best Regards
Johan Elmquist