how to track machine name from where user is trying to login and have a bad password and it's lookin

as active directory information is used to log in documentum. I believe that we do have someone using idql32.exe with a hardcode username and old password.

and associated to a schedule task

that's is causing the hardcode user to have his account locked in AD ever 2 hours. And the Active Director administrator informs that the lock comes from a PROXY (server/user) and that makes impossible to trace what machine is causing the lock.

So any audit that can be turn on for a couple hours to discover this?

Thanks.

Find more posts tagged with

Comments

DCTM_Guru

AFAIK, since a session is never established (b/c bad password), this information is NOT captured. Is this a real user or user account used by system/applications?

mszurap

Start your Content Server with the "-otrace_authentication" flag (put it in dm_start_DOCBASENAME.sh script where it starts ./documentum ... or in Windows in the Server Configuration Program). This will show you the failed authentication attempts in the server log. This way you will have timestamps for it and it should print out the client host also.

You will have lines like these:

Thu Sep 23 08:45:43 2010 230000: 1248[2464] AT 2464: Start-AuthenticateUser: ClientHost(dctm66), LogonName(myuser), LogonOSName(docadmin), LogonOSDomain(DCTM66), UserExtraDomain(), ServerDomain(dctm66)

...

Thu Sep 23 08:45:43 2010 417000: 1248[2464] AT 2464: End-AuthenticateByPassword:

Thu Sep 23 08:45:43 2010 417000: 1248[2464] AT 2464: success (or failure)

Mike

DCTM_Guru

Thanks Mike for your input. I always say I learn something new everyday.