Skip navigation

JSI Tip 0441 - Automate detection of Logon failures in a domain environment.

If you have multiple BDCs and/or trust relationships, the logon event may be in any %LogonServer%. Instead of checking all the Security event logs, use the DUMPEL.EXE from the

with a batch file to filter for logon failures:

    @echo off
    Dumpel.exe -s pdcname -l security -m security -e 529 539  >Drive:\Directory\failure.log.txt
    Dumpel.exe -s bdc1name -l security -m security -e 529 539 >>Drive:\Directory\failure.log
    Dumpel.exe -s bdc2name -l security -m security -e 529 539 >>Drive:\Directory\failure.log
    Dumpel.exe -s bdc3name -l security -m security -e 529 539 >>Drive:\Directory\failure.log

This will append all Event 529s and Event 539s to the <Drive:>\Directory\failure.log file which you can then examine for problems.

    Event ID 529
    Logon Failure
    Reason: Unknown user name or bad password

    Event ID 539
    Logon Failure
    Reason: Account locked out

Common causes for invalid logon events are:

Someone is entering the wrong password.
An unauthorized individual is trying to gain access
There is a persistent network connection with an invalid password.
There is a service using a user account with an invalid password.
A Trust relationship has been broken.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.