JSI Tip 7144. How do I use the EventCombMT tool to search multiple computers for account lockout events?

Jerold Schulman

September 7, 2003

1 Min Read
ITPro Today logo in a gray background | ITPro Today

The EventCombMT.exe utility, included in the Account Lockout and Management Tools, is a multithreaded tool that can search the event logs of multiple computers from a central location, like your workstation.

You can specify the following parameters:

Individual event IDsMultiple event IDsA range of event IDsAn event sourceSpecific event textHow many minutes, hours, or days back to scan

Some search categories are built-in, such as Account Lockouts. The Account Lockouts search is preconfigured to include event IDs 529, 644, 675, 676, and 681. You can add event ID 12294 to search for potential attacks against the Administrator account.

Download ALTools.exe.

To search events logs for account lockouts:

1. Start EventCombMT.exe.

2. Press Set Output Directory from the Options menu, and select a folder or press Make New Folder. Press OK when you finish configuring the Output Directory.

3. On the Searches menu, select Built In Searches, and press Account Lockouts.

4. The Select To Search/Right Click To Add box is populated with all the domain controllers in your domain. You can right-click in the box to modify the list of computers.

5. The Event IDs box contains 529 644 675 676 681. After the 681, you can add a space, followed by 12294.

6. In the Scan Back box, select Minutes, Hours, or Days, and type a value.

7. Select the computers you want to search in the Select To Search/Right Click To Add box.

8. Press Search.

9. When the search is finished, you can view the results in the Output Directory, which is opened. You can import the files to a spread sheet or database.



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like