Tip 4108 and links contains Windows 2000 Security Event Descriptions.
The security auditing events related to user authentication appear in the Security event log. The relevant Event IDs are:
EventID Description 514 An authentication package has been loaded by the LSA. 515 A trusted logon process has registered with the LSA. 518 A notification package has been loaded by the Security Account Manager. 528 Successful Logon. 529 Logon Failure: Unknown user name or bad password. 530 Logon Failure: Account logon time restriction violation. 531 Logon Failure: Account currently disabled. 532 Logon Failure: The specified user account has expired. 533 Logon Failure: User not allowed to logon at this computer. 534 Logon Failure: The user has not been granted the requested logon type at this machine. 535 Logon Failure: The specified account's password has expired. 536 Logon Failure: The NetLogon component is not active. 537 Logon Failure: An unexpected error occurred during logon. 538 User Logoff. 539 Logon Failure: Account locked out. 644 User Account Locked Out.Some security events report a SID instead of a user name. Use the SidToName freeware to decode a SID into a user-friendly username.
The reported Logon Type will be one of the following:
2 Interactive 3 Network 4 Batch 5 Service 6 Proxy 7 Unlock WorkstationThe Logon Process will be one the following:
"msv1_0" or "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0": msv1_0.dll, the default authentication package "KSecDD": ksecdd.sys, the security device driver "User32" or "WinLogon\MSGina": winlogon.exe & msgina.dll, the authentication user interface "SCMgr": The Service Control Manager "LAN Manager Workstation Service" "advapi" API call to LogonUser "MS.RADIU": The RADIUS authentication package; a part of the Microsoft Internet Authentication Services (IAS).