Someone on the network is trying to log in to the Windows Server [migrated]
I have a Domain. It has a file sharing Windows Server. The rights to folders are set for domain users. At some point, users began to complain that some files (not all) were disappearing, although the "admins" of these folders did not delete them.
Just in case, I changed the password of the local Administrator on the Server. And set up monitoring in Zabbix of the Security log for events 4648 (login completed) and 4625 (login error). Now I see that sometimes 4625 (Error reason: Unknown user name or incorrect password) slips through for the local user Administrator on the Server. Logon type: 3 (network).
It turns out that someone is accessing the shared folder of the Server over the network, but he does not have rights, so a window pops up asking for login and password, he types, but the password does not work. Is that how it works?
How can I find out from which IP address the network login to the Server is performed?
