In any network, you should know if someone is trying to gain unauthorized access. Novell provides a rather extensively configurable tool, “Intruder Lockout”, which will lock down the account, but ConsoleOne only gives the last IP address of the attempted access. In most cases it’s the legitimate user who calls you to say, “When I try to log in it says something like someone has tried to hack my account and it’s locked up – who was it?”. Therefore, the last IP from ConsoleOne may not be very useful for investigative purposes.
I found a simple and easy way to investigate “Intruder Lockout” history.
This lists each and every recent failed login attempt giving user account name, IP address, date and time.
You therefore have a direct trace to the computer where the failed attempt(s) occurred, and if investigated quickly enough, the issue can often be solved as it happens. If a student is indeed playing around with accounts unauthorized and is confronted, I find news spreads quickly, and the instances diminish if not disappear altogether quickly – at least for a while …
Short version of a very quick and easy setup:
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.