General discussion

Locked

NT 4 domain with W2K Prof workstations

By baboughamer ·
Will NT 4.0 record security events that occur with a Windows 2000 Professional workstation. For example if the user account is locked out will that event ID of 539 show up on the NT 4.0 PDC?

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

NT 4 domain with W2K Prof workstations

by sgt_shultz In reply to NT 4 domain with W2K Prof ...

i actually have your setup! i will try locking a user out and see what gets entered in the event log (hint, hint)
pretty sure it will have an entry...
whacha wanting to know this for anyhow?

Collapse -

NT 4 domain with W2K Prof workstations

by baboughamer In reply to NT 4 domain with W2K Prof ...

Poster rated this answer

Collapse -

NT 4 domain with W2K Prof workstations

by Mike Mullins In reply to NT 4 domain with W2K Prof ...

Events listed in the event log are independent upon the O/S causing the event. If you were using a Solaris system to access a windows account, and the account locked. The event would still register event id 539.

The event id on the workstation would differ, but the server side events remain the same.

Good Luck,
0bytes

Collapse -

NT 4 domain with W2K Prof workstations

by baboughamer In reply to NT 4 domain with W2K Prof ...

Poster rated this answer

Collapse -

NT 4 domain with W2K Prof workstations

by Joseph Moore In reply to NT 4 domain with W2K Prof ...

If you are asking if the Win2KPro machines will generate events in the Security log on your NT4 PDC, then the answer is yes.
I have the same setup (NT4 PDC/BDCs and many Win2KPro clients, all members of my NT4 flat domain).
When someone logs into one of the Win2KPro machines with their domain user name and an incorrect password, I get an Event ID 529 in the Security log of the PDC. Here is an example of what is recorded:

Event Type: Audit Failure
Event Source: Security
Event Category: Logon/Logoff
Event I 529
Date: 1/13/2003
Time: 5:57:55 PM
User: SYSTEM
Computer: MYPDC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: USERNAME
Domain: MYDOMAIN
Logon Type: 7
Logon Process: User32
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MYPDC
Data:


Now, I also have account lockouts enabled. When a user logs in incorrectly 3 times in a 30-minute period, their account is locked out. When that happens, I have an Event ID 644 on the PDC's Security logs. That event looks like this:

Event Type: Audit Success
Event Source: Security
Event Category: Account Management
Event I 644
Date: 1/13/2003
Time: 9:01:09 AM
User: SYSTEM
Computer: MYPDC
Description:
User Account Locked Out:
Target Account Name: USERNAME
Target Account I S-1-5-21-635179537-1619929474-1846952604-1399
Caller Machine Name: WORKSTATIONNAME
Caller User Name: SYSTEM
Caller Domain: NT AUTHORITY
Caller Logon I (0x0,0x3E7)

Data:

Collapse -

NT 4 domain with W2K Prof workstations

by Joseph Moore In reply to NT 4 domain with W2K Prof ...

So, as long as you are auditing Failure Logon Events in the User Manager on your NT4PDC, then you too will get these error messages in your logs from your NT4/2K/XP clients.

hope this helps

Collapse -

NT 4 domain with W2K Prof workstations

by baboughamer In reply to NT 4 domain with W2K Prof ...

Upon retesting the events you have listed above did appear. Thanks again for your help.

Collapse -

NT 4 domain with W2K Prof workstations

by baboughamer In reply to NT 4 domain with W2K Prof ...

This question was closed by the author

Back to Windows Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums