PROBLEM: A couple of user’s accounts keep getting locked in our domain controller (Win2008R2). The users are very mobile - that means they use their laptop, multiple PC, iPad and or Smart-Phone to connect to the domain. They also remain logged-in simultaneously from multiple machines.
QUESTION: What I am trying is to find out from which IP address they are actually getting locked. The DC’s Security log is not showing the workstation for [Source=Microsoft Windows security, Task Category: Account Lockout , Event-IS:4625 , Keyword: Audit Failure]. I have to run WireShark from DC which already received too many packets from all domain machines. So I have to run WireShark with a filter to capture only packets from a certain USER-ID (i.e. Domain\JohnDoe or JohnDoe@domain.com).
Among all the list of filters available, is there a filter for user-ID ?
Thanks in advancd.