How to use the EventCombMT utility to search event logs for account lockouts
This article describes how to use the EventCombMT utility (EventCombmt.exe) to search the event logs of multiple computers for account lockouts.
EventCombMT is a multithreaded tool that you can use to search the event logs of several different computers for specific events, all from one central location. You can configure EventCombMT to search the event logs in a very detailed fashion. The following are some of the search parameters that you can specify:
- Individual event IDs
- Multiple event IDs
- A range of event IDs
- An event source
- Specific event text
- How many minutes, hours, or days back to scan
To download the EventCombMT utility, visit the following Microsoft Web site:Note The EventCombMT utility is included in the Account Lockout and Management Tools download (ALTools.exe).
To search the event logs for account lockouts, follow these steps:
- Start EventCombMT.
- On the Options menu, click Set Output Directory, select an existing folder, or click New Folder to create a new folder to save the output to, and then click OK.
Note If you do not specify an output directory, the default location is C:\Temp.
- On the Searches menu, point to Built In Searches, and then click Account Lockouts.
All domain controllers for the domain appear in the Select To Search/Right Click To Add box. Also, in the Event IDs box, you see that event IDs 529, 644, 675, 676, and 681 are added.
- In the Event IDs box, type a space, and then type 12294 after the last event number.
- In the Options menu, select Set Date Range.
- In the From box, choose your start date and time.
- In the To box, choose your end date and time, and then click OK.
- Click Search.
- To search other computers (non-domain controllers) for account lockout events, right-click the Select To Search/Right Click To Add box, and then click Remove Selected Servers From List. To add computers to search, right-click the Select To Search/Right Click To Add box, and then click one of the options. For example, to add computers one at a time, click Add Single Server. Click the server or servers that you want to search, and then click Search.
For more information about the EventCombMT utility, see the Help files that are included with the tool.
Article ID: 824209 - Last Review: 10/30/2006 21:26:06 - Revision: 4.2
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows 2000 Server
- kbactivedirectory kbwinservds kbhowto KB824209