Automating Detection of Logon Failures In a Windows NT Domain

 Last reviewed: March 2, 1998
Article ID: Q171148
The information in this article applies to:
  • Microsoft Windows NT Workstation versions 3.5, 3.51, and 4.0
  • Microsoft Windows NT Server versions 3.5, 3.51, and 4.0

SUMMARY

Detecting log on failures or account lockouts in a Windows NT domain with multiple domain controllers and trusting domains may be difficult. To do this manually would require the administrator to load the security event log of multiple domain controllers and set the filter to find the log on failure events.

MORE INFORMATION

Use the Dumpel.exe utility from the Windows NT Resource Kit to enable the domain administrator to automate this procedure.

By creating a simple batch file to query the security event log of all of your domain controllers, you can quickly automate the process. The log on failure events will only be recorded in the log of the primary domain controller (PDC) or backup domain controller (BDC) that authenticated the user. When you log on to a trusting domain from the trusted domain, the event may be recorded in the trusted domain, so you would need to query the event logs of both domains.

To automate this procedure, perform the following steps:

  1. Install the Windows NT 4.0 Resource Kit.

  2. For each domain, create a batch file that dumps the event logs of each domain controller to a text file, filtering only the log on failure event IDs.

    NOTE: The example below contains wrapped lines. 

          @echo off
      Dumpel.exe -s pdcname -l security -m security -e 529 539 >
      %temp%\event539.txt
      Dumpel.exe -s bdc1name -l security -m security -e 529 539 >>
      %temp%\event539.txt
      Dumpel.exe -s bdc2name -l security -m security -e 529 539 >>
      %temp%\event539.txt
      Dumpel.exe -s bdc3name -l security -m security -e 529 539 >>
      %temp%\event539.txt

  3. This will append all Event 529s and Event 539s to the event539.txt file to be examined for log on problems. 

          Event ID 529
      Logon Failure
      Reason: Unknown user name or bad password


          Event ID 539
      Logon Failure
      Reason: Account locked out

Common causes for invalid log on events:
  • Forgotten passwords, someone is entering the wrong password.
  • An unauthorized individual is trying to gain access to the network.
  • There is a persistent network connection with an invalid password.
  • There is a service using a user account with an invalid password.
  • Trust relationship has been broken.

Additional query words: hacker ntreskit log logins lockout
Keywords : ntdomain nthowto NTSrvWkst ntutil kbtool kbtshoot
Version : WinNT:3.5,3.51,4.0
Platform : winnt

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: March 2, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.