-
Title
The Origin information in some User Lockout events shows a Domain Controller or Application server, rather than the user's workstation. -
Description
When a user mis-types their password, and locks themself out while attempting to log into their Windows desktop, a User Lockout event is created in Change Auditor, and will show the user's workstation name or IP address as the Origin of the lockout.
In other cases, the Origin information will show a Domain Controller or an Application server, even when the User couldn't be logging in to those servers. The Security logs on the Domain Controller will show the same source of the lockout, either itself, or an application server. This is generally seen when a non-user initiated logon attempt is made, possibly by a custom script, application, or website.
An example would be a user trying to log into the Change Auditor WebDesktop client from their workstation. If they input the wrong password enough time, they will lock themselves out, and the Origin will show the server which hosts the WebDesktop client or the Change Auditor Coordinator. This is expected, as the user is not authenticating to the webserver directly, but rather is passing their credentials to the webserver, and it in turns passes them on for authentication.
-
Cause
Regardless of which authentication process takes place, the Origin value that Change Auditor will display should always match the information in the Security Event log of the Domain Controller where the lockout was registered. -
Resolution
Verify that the Origin in the CA Event matches what is logged in the Lockout event in the Security Event log of the Domain Controller.