Hi all,
Recently there was an incident at my end where multiple AD accounts got locked within a very short period of time. Upon doing checks on the AD server under security logs, i can see the event id 4740 which indicate the "caller computer name" which is just a hostname that cause my accounts to get locked but there is no ip address. Through event 4776 i can also see the source workstation which is of the same hostname as that in id 4740 and again no ip address, also saw errorcode oxc000006a and keyword audit failure which probably means the password is wrong. Is there another event id that i can check for ip address of this hostname that kept having authentication failure attempts of my accounts resulting in locking of my AD accounts? TIA!