How to locate bad login attempts on a domain account when source is unknown

My issue is trying to locate the source of the lock out that is not a domain computer.

In event viewer, event 4740 the caller computer name is blank. Event viewer 4776, I show error code 0xC000006A.

The account does not use email, and is reserved to do admin related work on the network. If I rename the account, that stops the lockouts.

I tried several tools on line like lock out analyzer, netwrix, ad audit, but the source computer is never revealed.

Solution 1:

This client is using NTLM, probably not joined to AD and your Domain Controller is not able to resolve its hostname and from AD side, you only have 02 alternatives to track the source:

1. Enable debug logging for Netlogon on the Domain Controller To do that, open a Command Prompt with administrative privileges and run:

   Nltest /DBFlag:2080FFFF
   

   Then wait for the event be logged again and search for more information in:

   %windir%\debug\netlogon.log
   

   Do not forget to turn off debug logging:

   Nltest /DBFlag:0x0
   

2. Enable a deeper level of NTLM authentication auditing by modifying GPO entry Network security > Restrict NTLM:

   • Outgoing NTLM traffic to remote servers = Audit All
   • Audit NTLM authentication in this domain = Enable all
   • Audit Incoming NTLM Traffic = Enable auditing for all accounts

   NTLM audit events will be available under:

   Event Viewer\Applications And Services Logs\Microsoft\Windows\NTLM\Operational

Hope this helps you find what you are looking for.