We have various applications that do a bind to our DCs using a certain LDAP account we create for them. Lets call the account LDAP01. This account has read privs in the domain and is only used to bind to AD, so that it can then pass through credentials of the real user that is using the application. Lets call the user User01. this is done so that the application can use AD as the central repository for authentication and authorization. It also makes it so that the application owners do not have to administer local application-specific accounts for all the application users.
What happens sometimes is that one of these users using an application that uses LDAP binds becomes locked. It almost always means that the user has his password typed in somewhere in the application incorrectly (say on a scheduled task or job that the application runs under the users account). The problem is the user will haev his account locked and can't figure out where the password was typed in incorrectly.
I can go through the security log and find this error (event id 4776), where DC03 is the DC that they are binded to with the LDAP01 account:
The domain controller attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: User01
Source Workstation: DC03
Error Code: 0xc000006a
So that is great and all, and I'm seeing when the bad passwords were attempted, but since the "Source Workstation" is the DC that the LDAP01 account binds to, I have no way of telling what the REAL source IP was. This is because the LDAP bind could have come from anywhere, and the error only shows the DC that the account bound to.
Does anybody have a way of telling where the LDAP bind was coming from? (other than network captures, which I don't much feel like doing)