One of our disabled admin account credentials is still used to perform (failed) login attempts on some Windows servers from a bunch of other servers. The login attempts were made using Kerberos authentication.
Question: How can identify on the source servers the scripts/applications reponsible for these attemps ? Which log source could be the more reliable ? Can I put some kind of listener for a particular username ?
At the moment I have been investigating in the Event Viewer of the source servers but cannot find any relevant information to my issue.
