Using the Checked Netlogon.dll to Track Account Lockouts

ID: Q189541

The information in this article applies to:
  • Microsoft Windows versions 95, 98
  • Microsoft Windows NT Server version 4.0
  • Microsoft Windows NT Server, Enterprise Edition version 4.0
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information on how to do this, view the "Restoring the Registry" online Help topic in Regedit.exe or the "Restoring a Registry Key" online Help topic in Regedt32.exe.

SUMMARY

Account lockouts can be very difficult to track for several reasons. One reason is that the bad password attempts are only recorded on the domain controller that processed the logon attempt (this is for Windows 95 and Windows 98 clients). Another problem is that, because Windows NT clients are capable of recording the information locally, a log entry is not recorded on any domain controller.


MORE INFORMATION

A relatively easy way to track bad password attempts in a domain is to install the checked build of Netlogon.dll on the primary domain controller (PDC). This will create a text file on the PDC that can be examined to determine which clients are generating the bad password attempts, for both Windows NT and Windows 95 clients.

The checked build of Netlogon.dll can be obtained from Microsoft Technical Support and also in the Microsoft DDK. WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" online Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" online Help topics in Regedt32.exe. Note that you should back up the registry before you edit it.

To install the checked build of Netlogon.dll on Windows NT 4.0:

  1. Go to the %windir%\System32 folder.


  2. Rename Netlogon.dll to Netlogon.fre.


  3. Copy the checked version of Netlogon.dll to the System32 folder.


  4. Start Regedt32, and go to the following key: 
    
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon
      \Parameters\DBFlag
    NOTE: The above registry key is one path; it has been wrapped for readability.


  5. Change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon \Parameters\DBFlag to 0x4 and quit Regedt32.

    NOTE: Setting DBFlag to 0x4 will only record logon processing. Setting it to 0x20000004 will record the time stamp in addition to the logon event.


  6. Restart the server


  7. Confirm that the debug directory was created under the %windir% folder and contains a Netlogon.log file.


Examples

In the examples below:


PORSCHE\example = User Account
TARGA =           BDC
928S4 =           Windows NT Workstation
928WIN95 =        Windows 95
911Turbo =        PDC
Different clients will log different messages.

Windows NT Workstation: 

[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Entered

[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Returns 0xC000006A

[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Entered

[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Returns 0xC0000234
In the above example, you can see where we try to log on, fail with a bad password, try to log on again, and then fail with a locked out account.

The only difference with Windows 95 and Windows 98 is the omission of the domain name: 

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Entered

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Returns 0xC000006A

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Entered

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Returns 0xC0000234
A successful account logon will look like: 

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 Entered

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 Returns
   0x0

[LOGON] NetrLogonUasLogon of EXAMPLE from 928WIN95 returns 0
The errors you will most likely receive will be:
0xC0000234 User logon with Account Locked
0xC000006A User logon with Misspelled or bad Password
0xC0000072 User logon to account disabled by Administrator
0xC0000193 User logon with Expired Account
0xC0000070 User logon from unauthorized workstation
0xC000006F User logon Outside authorized hours
0xC0000224 User logon with "Change Password at Next Logon" flagged
0xC0000071 User logon with Expired Password
0xC0000064 User logon with Misspelled or Bad User Account
To track user account lockouts, only the 234 and 6A errors are important to us.

Note that these errors are only a partial listing. Ntstatus.h has all the 0xcxxxxxxx listings.

After the workstation sending the bad passwords has been identified, the workstation can be configured correctly or the user can be informed of the correct password.

Additional query words: pass thru through authentication

Keywords :
Version : WINDOWS:95,98; winnt:4.0
Platform : WINDOWS winnt
Issue type : kbhowto


Last Reviewed: January 13, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.