General discussion

Locked

Failed logon attempts do not show up.

By mgonzales ·
We are running a NT 4.0 Network and we discovered that failed logon attempts do not show up in any Domain Controller event logs until the account is locked out.

It is my understanding that all attempts to logon, and it fails, is written to the event logs.

This is not, any help is appreciated.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Failed logon attempts do not show up.

by Ter1-Ter_Forde In reply to Failed logon attempts do ...

You must enable auditing for these specific events. Open User Manager for Domains, click Policies & Audit - here you will see the various audit options for the domain.

Collapse -

Failed logon attempts do not show up.

by mgonzales In reply to Failed logon attempts do ...

Poster rated this answer

Collapse -

Failed logon attempts do not show up.

by Gigelul In reply to Failed logon attempts do ...

The events are registered only when the account policy is forced. Check in User Manager your Account Policy and change it as you need.

Collapse -

Failed logon attempts do not show up.

by Gigelul In reply to Failed logon attempts do ...

You can set here <Account lokout> after 1 bad logon attempt and in additions <Reset counter after> 1 minute or how you wish and you will have all bad logons.

Collapse -

Failed logon attempts do not show up.

by Gigelul In reply to Failed logon attempts do ...

I miss to say that <lokout duration> also must be set to 1 minute or forever(to hard for you).

Collapse -

Failed logon attempts do not show up.

by mgonzales In reply to Failed logon attempts do ...

Poster rated this answer

Collapse -

Failed logon attempts do not show up.

by Shanghai Sam In reply to Failed logon attempts do ...

Failed logon attempt by NT workstations are recorded in the event viewer of the local machine, not on the DC's. The hard way to check attempts would be to access all your workstations event viewer. The easier way is as follows:

This assumes that you have SP6a installed:
Download the Check Build of SP6a to your PDC(the check build contains diagnostic tools for admins that are not included with the regular SP6a).
http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/SP6build/128bitx86/default.asp (There should be no spaces in this url)
From the folder where the SP is saved, run
c<folder>\sp6i386c.exe /x
This will extract the files without installing the SP(make sure you have enough disk space available).
Rename your c:\winnt\system32\netlogon.dll.
Copy the extracted netlogon.dll to the system32 folder.
Run REGEDIT and navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
Change DBFlag to 0x20000004. This will record the logon activity of your domain controllers. Reboot. There should now be a Netlogon.log file in the Winnt\Debug folder.

The codes are as follows:
0xC0000234 User logon with Account Locked.
0xC000006A User logon with Misspelled or bad Password.
0xC0000072 User logon to account disabled by Administrator.
0xC0000193 User logon with Expired Account.
0xC0000070 User logon from unauthorized workstation.
0xC000006F User logon Outside authorized hours.
0xC0000224 User logon with "Change Password at Next Logon" flagged.
0xC0000071 User logon with Expired Password.
0xC0000064 User logon with Misspelled or Bad User Account.
As you can see, all failed attempts are from the Domain Controller's standpoint. Failed logon attempts due to network problems are not recorded because the domain controller has no way of knowing that a client attempted a logon.

Collapse -

Failed logon attempts do not show up.

by mgonzales In reply to Failed logon attempts do ...

Poster rated this answer

Collapse -

Failed logon attempts do not show up.

by mgonzales In reply to Failed logon attempts do ...

This question was closed by the author

Back to Windows Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums