- Individual event IDs
- Multiple event IDs
- A range of event IDs
- An event source
- Specific event text
- How many minutes, hours, or days back to scan
To download the EventCombMT utility, visit the following Microsoft Web site:Note The EventCombMT utility is included in the Account Lockout and Management Tools download (ALTools.exe).
To search the event logs for account lockouts, follow these steps:
- Start EventCombMT.
- On the Options menu, click Set Output Directory, select an existing folder, or click New Folder to create a new folder to save the output to, and then click OK.
Note If you do not specify an output directory, the default location is C:\Temp.
- On the Searches menu, point to Built In Searches, and then click Account Lockouts.
All domain controllers for the domain appear in the Select To Search/Right Click To Add box. Also, in the Event IDs box, you see that event IDs 529, 644, 675, 676, and 681 are added.
- In the Event IDs box, type a space, and then type 12294 after the last event number.
- In the Options menu, select Set Date Range.
- In the From box, choose your start date and time.
- In the To box, choose your end date and time, and then click OK.
- Click Search.
- To search other computers (non-domain controllers) for account lockout events, right-click the Select To Search/Right Click To Add box, and then click Remove Selected Servers From List. To add computers to search, right-click the Select To Search/Right Click To Add box, and then click one of the options. For example, to add computers one at a time, click Add Single Server. Click the server or servers that you want to search, and then click Search.
For more information about the EventCombMT utility, see the Help files that are included with the tool.
Article ID: 824209 - Last Review: Feb 15, 2017 - Revision: 3