Q: Our company would like to know if former employees try to access a domain resource after they've been terminated. Upon termination, we immediately disable a user's account. Is there a way to check the Security event log for logons that failed specifically because the target account is disabled?
A: It depends on whether the logon attempt occurs via the NT LAN Manager (NTLM) authentication protocol or via Kerberos; the event IDs and error codes logged by the two protocols differ. If the authentication attempt is handled by the NTLM authentication protocol, it’s easy to distinguish such logon failures. All you need to do is monitor your domain controllers (DCs) for event ID 680 in Windows Server 2003 (look for event ID 681 in Windows 2000) with failure code 0xC0000072.
Kerberos doesn’t have a single, distinct failure code for logon failures caused by disabled accounts. With Kerberos, logon failures caused by a disabled account produce error code 0x12, but that code can also mean the logon failed because the account was locked out or expired. On Windows 2003 DCs, look for event ID 672 failures with error code 0x12 in the description. On Win2K DCs, look for event ID 676 with error code 0x12.
