Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,726 questions
Event Viewer showing account lockout alerts (4740) from computers which are not in my domain (Caller Computer is not in domain)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 85%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Samitha Weeraman
1
Reputation point
Hi guys,
This is one of those weird ones.
Recently came across few account lockouts (this includes the build in Administrator accounts as well) that have been happening in our domain, and these event alerts are showing computers which are not in our domain. Now there are few alerts where the "Caller Computer Name" is empty, but the majority shows up with computer names which are not in our domain. Any idea why the caller name is not in our domain? was thinking this could be an attack from the outside but looking at the firewall its highly unlikely.
I have already tried using netwrix and Microsoft Account Lockout tool to try and drill down the issue also was looking at Netlogon logs to see if any info will give a better understanding. But i still cannot have a break through at this issue. Below are some screen print to help you understand the issue.
Looking at the Netlogon, you can see the weird computer name request is coming via a device that is in the network. But the device name is not in our network. If anyone can point me in some direction that will be greatly appriciated. Could this be some 3rd party app in that computer generating this request?
Thanks Guys!
Event view log ID 4740 with Netlogon Logs.
Netwrix Logs
Thanks guys,
{count} votes
-
MotoX80 35,626 Reputation pointsNov 21, 2022, 1:27 AM There should be a source IP address in one of those events. If the IP is out on the internet, then you've got a firewall problem. If the IP is on your private network, then someone might be bringing in their home computer and connecting it to your network. Or you could have a rogue business unit buying their own computers and connecting them. Find the source IP. Have your network team disable that subnet. When someone complains ask them to explain the network traffic.
-
Samitha Weeraman 1 Reputation point
Nov 22, 2022, 5:41 AM Thanks for the reply, you mean to check in Netlogon logs? i did already i did not come across any IP address
Sign in to comment
Sign in to answer