在AD查看被鎖定的帳號,用id 4776去撈出登入出敗的訊息,要找出是在哪台電腦做登入行為的。
結果在來源工作站的資訊,是一台沒看到的電腦名稱,也ping不到,覺得很奇怪。
就想到之前遇到來源工作站是空白的問題,那時就繼續在事件檢視器裡去找NTLM的log,可以找到相關的訊息。
這次也想說去NTLM裡面找找,就找到了,在NTLM裡記錄的登入失敗log裡,除了來源工作站,還多了一個安全通道名稱,這邊顯示的才是正確的電腦名稱。
至於為啥來源工作站是一個奇怪的名稱,目前也不知原因。
When checking the locked accounts in Active Directory, I used ID 4776 to retrieve the information about failed logins in order to determine the workstation where the login attempts originated.
The result showed an error in the workstation information, indicating a computer name that I couldn't find or ping, which seemed unusual.
I recalled a previous encounter where the workstation information was blank, so I continued searching for NTLM logs in the Event Viewer, as they often contain relevant details.
This time, I decided to check the NTLM logs and successfully found the failed login log. In addition to the workstation information, there was also a security channel name recorded. The computer name displayed in this section was the correct one.
As for why the workstation information appeared as a strange name, I am currently unaware of the underlying reason.