I'm dealing with a problem where I'm getting a ton of failed login attempts every day from an account that isn't even supposed to exist anymore. This account was active before I became the domain admin. In the event viewer, it shows the workstation as the domain controller and the IP address appears as '1'. Does that indicate a local process or service is trying to use this account? I've checked the Services and Task Scheduler, but there's nothing there with that username. How can I figure out where this account is showing up on the DC?
3 Answers
I recommend using a tool like Netwrix Account Lockout Examiner; it's super user-friendly and can help you find where the account might be trying to access the system.
Have you tried capturing the activity with Process Monitor? It can give you really detailed info about what's happening when those login attempts occur.
Just to clarify, the IP address listed as '1' actually shows as '::1', which is the IPv6 loopback address. It's like 127.0.0.1 for IPv4, meaning it's likely a local issue rather than something coming from outside your network.
Good catch! I didn’t realize that. It definitely points to something internal trying to authenticate.
Thanks! I just started trying that, hoping it helps me narrow things down.