G
Guest
Hi,
We recently set up an audit policy to audit failed account logon events for
our domain controllers. If I look at the logs, I can see Event ID 675 for
the failed logons. However, when I look at the detail, the Client IP address
does not have the address of the client, but instead the IP of one of the
domain controllers (and often not even the closest DC). For example, I
deliberately entered a bad password to log onto a client at IP address
192.168.22.126. The Security log on the local DC showed Event ID 675 for the
userID I used, but the Client IP address shows as 192.168.7.17 which is a DC
at a remote location.
Can anyone help me understand why this is happening?
Thanks so much!
We recently set up an audit policy to audit failed account logon events for
our domain controllers. If I look at the logs, I can see Event ID 675 for
the failed logons. However, when I look at the detail, the Client IP address
does not have the address of the client, but instead the IP of one of the
domain controllers (and often not even the closest DC). For example, I
deliberately entered a bad password to log onto a client at IP address
192.168.22.126. The Security log on the local DC showed Event ID 675 for the
userID I used, but the Client IP address shows as 192.168.7.17 which is a DC
at a remote location.
Can anyone help me understand why this is happening?
Thanks so much!