Automating Detection of Logon Failures In a Windows NT Domain

ID: Q171148

The information in this article applies to:
  • Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0
  • Microsoft Windows NT Server versions 3.5, 3.51, 4.0

SUMMARY

Detecting log on failures or account lockouts in a Windows NT domain with multiple domain controllers and trusting domains may be difficult. To do this manually would require the administrator to load the security event log of multiple domain controllers and set the filter to find the log on failure events.


MORE INFORMATION

Use the Dumpel.exe utility from the Windows NT Resource Kit to enable the domain administrator to automate this procedure.

By creating a simple batch file to query the security event log of all of your domain controllers, you can quickly automate the process. The log on failure events will only be recorded in the log of the primary domain controller (PDC) or backup domain controller (BDC) that authenticated the user. When you log on to a trusting domain from the trusted domain, the event may be recorded in the trusted domain, so you would need to query the event logs of both domains.

To automate this procedure, perform the following steps:

  1. Install the Windows NT 4.0 Resource Kit.


  2. For each domain, create a batch file that dumps the event logs of each domain controller to a text file, filtering only the log on failure event IDs.

    NOTE: The example below contains wrapped lines. 
    
      @echo off
      Dumpel.exe -s pdcname -l security -m security -e 529 539 >
      %temp%\event539.txt
      Dumpel.exe -s bdc1name -l security -m security -e 529 539 >>
      %temp%\event539.txt
      Dumpel.exe -s bdc2name -l security -m security -e 529 539 >>
      %temp%\event539.txt
      Dumpel.exe -s bdc3name -l security -m security -e 529 539 >>
      %temp%\event539.txt


  3. This will append all Event 529s and Event 539s to the event539.txt file to be examined for log on problems.
    Event ID 529
    Logon Failure
    Reason: Unknown user name or bad password

    Event ID 539
    Logon Failure
    Reason: Account locked out


Common causes for invalid log on events:
  • Forgotten passwords, someone is entering the wrong password.


  • An unauthorized individual is trying to gain access to the network.


  • There is a persistent network connection with an invalid password.


  • There is a service using a user account with an invalid password.


  • Trust relationship has been broken.

Additional query words: hacker ntreskit log logins lockout

Keywords : kbtool kbtshoot ntdomain nthowto NTSrvWkst ntutil
Version : WinNT:3.5,3.51,4.0
Platform : winnt
Issue type :


Last Reviewed: February 23, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.