Windows Forum·65,835 discussions

Monitoring User logins and failed logins

Locked

I want to know where all this gets logged.
Does it A get logged on PDC and BDC dependent on what server answers the request ??
If you fail to login to a Domain why does the failure get logged at the Workstation not the PDC or BDC ??
Is there anything within NT that will bring all these events together or do I have to use a third party product. (prefer to do it real time if I can )

Topic

Monitoring User logins and failed logins

In reply to Monitoring User logins and failed logins

OK To begin
1.) If a user fails to logon to a domain because of a network or physical failure it get logged on the PC for the simple reason that there is no network communication for event to get logged to the PDC or BDC.
2.) If you want a record “LOG” of all failures (wrong password, unauthorize attempt, wrong username)or success login attempt you will have to enable auditing & then view the security log of your PDC or BDC.
3.) The Event viewer is a good tool to view the event log of any PCon your network (for the user logged in as Domain Admin for security log).
4.) There are third party utilities out there that can analyze all logs on the network I personally haven’t had any experience with them so I won’t comment

Hope this helps………………….

Monitoring User logins and failed logins

In reply to Monitoring User logins and failed logins

Done it. The event viewer is a good tool, as a single system. But there seems to be no way to pull the info together, at least in real time. The PDC and BDC were available and for the heck of it i turned on all logging but the logging is incosistent. When I tried to logon to the domain i just typed in a bad password so it would fail. No failure was logged on the PDC or BDC but got logged onto the Workstation

Monitoring User logins and failed logins

In reply to Monitoring User logins and failed logins

The answer provided by [email protected] is THE correct answer. Enable auditing. Review your EVENT VIEWER both as a Domain Administrator, and as a particular workstation Administrator. You cannot get the errors to ‘write’ to the domain … ifthe domain was unavailable. You can however, log on to the (remote) workstation as the workstation administrator and view the event log to fix both problems. (why the box didn’t gain domain access, and what the specific problem is).

mlv//Mark LeVeck http://www.chm.net
computer system support 618.593.7439 mailto:[email protected]

Monitoring User logins and failed logins

In reply to Monitoring User logins and failed logins

The domain was available. I failed login by typing in the wrong password while trying to logon to the domain via a NT workstation. With a 98 system the failure was logged on the PDC. The specific problem is that I need to tie the failed and ok logonattempt together for a domain. I have found something that kindof does it but it is based on syslogd and the entries are put into the system log not security. I was hoping that NT could do it itself bubt apparently not.

[Author]

Replies