What is an OUI? The first three sets of two hexadecimal numbers in a MAC Address identify the card manufacturer, and this number is called OUI (organizationally unique identifier). It is always the same for NICs manufactured by the same company. Let's say a network card manufactured by Dell has a physical address: 00-14-22-04-25-37. In this address, 00-14-22 is Dell's OUI, which identifies that the device is by Dell. It may be interesting to know that all the OUIs are registered and assigned to the manufacturers by IEEE.
4740(S): A user account was locked out. Security ID [Type = SID]: SID of account that performed the lockout operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
Hello Kev, thank you for this video. I couldn’t see the commands on my end. Can you provide a screenshot of the PS commands you used in this video, please? Thanks!
Hi kev, just curious. Would you say it's easier to get into a sysadmin role or into cybersecurity nowadays if you have experience in working in help desk? Both look very interesting to me.
dnschecker.org/mac-lookup.php?query=0-11-22-33-44-55 -- what we do at work is that we use this website which I found that was pretty good once the people find out what device is locking you out they can send you the Mac address and then the first three Groups of that Mac address will tell you what the manufacturer is. Then maybe you can go ahead and track down the device once you know what if it's a laptop or desktop or if it's the network interface card is coming from an access point that way you can maybe get a little better understanding on where you're getting locked out from. Like if you get an access point you're getting locked out it could be your phone that's doing it maybe you put your username and password in for your work to get on the Internet and for some reason you forgot to change it once you change your password. We also seen people at work they use it for tv's to get them Internet access and they forget about it and they go ahead and they change their password after the 90 day. And they get repeated lockouts that's why you gotta ask all the questions to the user or text themselves did they log into a device 30 days ago 60 days ago whatever a TV to your phone to a certain desktop or laptop that's sitting around the office that maybe you just didn't reboot. So these are all the things you got to look out for when you're dealing with account lockouts first you got to find out what the device is if you don't have access to that to help desk should find out from the networking department or the active directory department could look and see what device is locking you out with some other special software that may may have to find this out for you. And yes even us texts get locked out too case in point the place that I work I get calls every day from text saying unlock their account because they forgot where they logged into and they don't really remember. Have to call up to helped us and get it tracked to see what device is locking them out. Just remember it's not all about the user it's the text too you gotta keep in mind when you log in into something that's why I always like to restart the computer after I'm done with it that way it's nice and clean and I know I've been logged out. Thank you I hope this information helps.
In the real world, phone jockey's don't have access to GPO! You will have limited access to AD and def not DNS or DHCP! you only have acces to high level when you are a Sr Desktop person. Now if you can remote into that user's pc, then you can check the event viewer etc. Also 95% phone jockeys don't know how to use Powershell and if they did, they would be working for someone else who is paying for that COVETED SKILL SET. If the standard is still the same, as a phone jockey you are responsible for 80% break/fix? which has been in effect since 1993. prob b4 you were born.
why use powershell for all of that? too much! ad/user comp/username and you wll see if they are locked out. if so unlock issue perm to change pw and move on.
Powershell rocks when you are unlocking AD user accounts. All you have to do is have RSAT installed and then just use the cmdlet -- unlock-aduser then the user ID then press enter. takes 1 sec to unlock the account.
What people also have to remember is you need admin rights to the to the Domain controller to see the security event logs from the domain controller. If you do not have that high level access you will not be able to see what device is locking you out from the domain controller. Just something to think about when you are running cmdlets to the domain controller. Never stop learning.
@stevensitessentials3281 0 seconds ago Powershell rocks when you are unlocking AD user accounts. All you have to do is have RSAT installed and then just use the cmdlet -- unlock-aduser then the user ID then press enter. takes 1 sec to unlock the account. Reply @stevensitessentials3281 @stevensitessentials3281 1 second ago What people also have to remember is you need admin rights to the to the Domain controller to see the security event logs from the domain controller. If you do not have that high level access you will not be able to see what device is locking you out from the domain controller. Just something to think about when you are running cmdlets to the domain controller. Never stop learning.
What is an OUI?
The first three sets of two hexadecimal numbers in a MAC Address identify the card manufacturer, and this number is called OUI (organizationally unique identifier). It is always the same for NICs manufactured by the same company. Let's say a network card manufactured by Dell has a physical address: 00-14-22-04-25-37. In this address, 00-14-22 is Dell's OUI, which identifies that the device is by Dell. It may be interesting to know that all the OUIs are registered and assigned to the manufacturers by IEEE.
4740(S): A user account was locked out.
Security ID [Type = SID]: SID of account that performed the lockout operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
Good video Kev, PowerShell is awesome. I 've been learning over the past 5 months and it's very useful.
Thank you for all of your great content, Kev.🤙🏾
Thanks
Here from LinkedIn
Thanks Kev
installed sysmon and created an index file to feed to splunk,another good project to work on
Thank you Kev!
Filter security log 4740 in eventviewer if there’s lots of log
Yep
Great info! I’m curious though what was the specific job role that you were interviewing for when they asked about event viewer?
Soc analyst for an msp.
Thank you! could you share the powershell commands please?
put it on google drive drive.google.com/drive/folders/1roo_TlZeBPxxKAi-acK650a1AGBHECHM?usp=sharing
Sir, please make videos on fsmo roles with pratical videos.
Maybe
Hello Kev, thank you for this video. I couldn’t see the commands on my end. Can you provide a screenshot of the PS commands you used in this video, please? Thanks!
drive.google.com/drive/folders/1roo_TlZeBPxxKAi-acK650a1AGBHECHM?usp=drive_link
I'm so glad you did this video. I have a user locking up multiple times a week. can you share the notepad command if possible? Thanks always Kevin!
It's in the comment section. Someone just asked about it
Hi kev, just curious. Would you say it's easier to get into a sysadmin role or into cybersecurity nowadays if you have experience in working in help desk? Both look very interesting to me.
system admin yes. Cybersecurity is a lot harder.
5:50
dnschecker.org/mac-lookup.php?query=0-11-22-33-44-55 -- what we do at work is that we use this website which I found that was pretty good once the people find out what device is locking you out they can send you the Mac address and then the first three Groups of that Mac address will tell you what the manufacturer is. Then maybe you can go ahead and track down the device once you know what if it's a laptop or desktop or if it's the network interface card is coming from an access point that way you can maybe get a little better understanding on where you're getting locked out from.
Like if you get an access point you're getting locked out it could be your phone that's doing it maybe you put your username and password in for your work to get on the Internet and for some reason you forgot to change it once you change your password. We also seen people at work they use it for tv's to get them Internet access and they forget about it and they go ahead and they change their password after the 90 day. And they get repeated lockouts that's why you gotta ask all the questions to the user or text themselves did they log into a device 30 days ago 60 days ago whatever a TV to your phone to a certain desktop or laptop that's sitting around the office that maybe you just didn't reboot. So these are all the things you got to look out for when you're dealing with account lockouts first you got to find out what the device is if you don't have access to that to help desk should find out from the networking department or the active directory department could look and see what device is locking you out with some other special software that may may have to find this out for you.
And yes even us texts get locked out too case in point the place that I work I get calls every day from text saying unlock their account because they forgot where they logged into and they don't really remember. Have to call up to helped us and get it tracked to see what device is locking them out. Just remember it's not all about the user it's the text too you gotta keep in mind when you log in into something that's why I always like to restart the computer after I'm done with it that way it's nice and clean and I know I've been logged out. Thank you I hope this information helps.
In the real world, phone jockey's don't have access to GPO! You will have limited access to AD and def not DNS or DHCP! you only have acces to high level when you are a Sr Desktop person. Now if you can remote into that user's pc, then you can check the event viewer etc. Also 95% phone jockeys don't know how to use Powershell and if they did, they would be working for someone else who is paying for that COVETED SKILL SET. If the standard is still the same, as a phone jockey you are responsible for 80% break/fix? which has been in effect since 1993. prob b4 you were born.
why use powershell for all of that? too much! ad/user comp/username and you wll see if they are locked out. if so unlock issue perm to change pw and move on.
Just showing an alternative way of doing it using powershell since everyone wants to see more powershell videos.
Powershell rocks when you are unlocking AD user accounts. All you have to do is have RSAT installed and then just use the cmdlet -- unlock-aduser then the user ID then press enter. takes 1 sec to unlock the account.
What people also have to remember is you need admin rights to the to the Domain controller to see the security event logs from the domain controller. If you do not have that high level access you will not be able to see what device is locking you out from the domain controller. Just something to think about when you are running cmdlets to the domain controller. Never stop learning.
@stevensitessentials3281
0 seconds ago
Powershell rocks when you are unlocking AD user accounts. All you have to do is have RSAT installed and then just use the cmdlet -- unlock-aduser then the user ID then press enter. takes 1 sec to unlock the account.
Reply
@stevensitessentials3281
@stevensitessentials3281
1 second ago
What people also have to remember is you need admin rights to the to the Domain controller to see the security event logs from the domain controller. If you do not have that high level access you will not be able to see what device is locking you out from the domain controller. Just something to think about when you are running cmdlets to the domain controller. Never stop learning.