JSI Tip 0701 - How do I track account lockout/bad password logon attemps?

It is very difficult to track these as non Windows NT clients are recorded in the event log of the domain controller that attemps to validate the account and Windows NT logon attempts are recorded locally.

You can install the Netlogon.dll from the checked build of Service Pack 3 on your PDC to create a log file for all attemps.

After downloading the checked build of the service pack, extract (SP_Name.exe /x) the Netlogon.dll.
Navigate to the %SystemRoot%\System32 folder and rename Netlogon.dll to Netlogon.fre.
Copy the checked version of Netlogon.dll to the %SystemRoot%\System32 folder. Edit:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag

and change DBFlag to 0x04 to record the logon or to 0x20000004 to record the logon and a time stamp.

Shutdown and restart the PDC.

Confirm you have a %SystemRoot%\Debug folder that contains a Netlogon.log file.The error codes in the log file are:

 Error Code   M e a n i n g 
 0xC0000234   User logon with Account Locked. 
 0xC000006A   User logon with Misspelled or bad Password. 
 0xC0000072   User logon to account disabled by Administrator. 
 0xC0000193   User logon with Expired Account. 
 0xC0000070   User logon from unauthorized workstation. 
 0xC000006F   User logon Outside authorized hours. 
 0xC0000224   User logon with "Change Password at Next Logon" flagged. 
 0xC0000071   User logon with Expired Password. 
 0xC0000064   User logon with Misspelled or Bad User Account. 

Only the 0xC0000234 and 0xC000006A entries are important for account lockouts.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish