Auditing User Authentication
ID: Q174073
|
The information in this article applies to:
-
Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0
-
Microsoft Windows NT Server versions 3.5, 3.51, 4.0
SUMMARY
This article contains tips for interpreting security auditing events
related to user authentication.
These events will all appear in the Security event log and will be logged
with a source of Security.
MORE INFORMATION
EventID Description
------- -----------
514 An authentication package has been loaded by the LSA
515 A trusted logon process has registered with the LSA
518 A notification package has been loaded by the Security
Account Manager
528 Successful Logon
529 Logon Failure: Unknown user name or bad password
530 Logon Failure: Account logon time restriction violation
531 Logon Failure: Account currently disabled
532 Logon Failure: The specified user account has expired
533 Logon Failure: User not allowed to logon at this computer
534 Logon Failure: The user has not been granted the requested
logon type at this machine
535 Logon Failure: The specified account's password has expired
536 Logon Failure: The NetLogon component is not active
537 Logon Failure: An unexpected error occurred during logon
538 User Logoff
539 Logon Failure: Account locked out
For more information security events, please see the following article in
the Microsoft Knowledge Base:
ARTICLE-ID: Q174074
TITLE : Security Event Descriptions
Security Identifiers (SIDs)
Some security events report SIDs instead of user names. In this case,
it is often difficult to determine which user account is being referred
to in the event.
It is possible to build a list of mappings of user names to SIDs by
performing the following steps:
- Dump the user list to a text file with the NET USERS command or with
Addusers.exe.
- Modify this text file to remove unwanted information (headers, and so
forth).
- Modify the resulting list of user names into a batch file, using the
GETSID resource kit utility to translate each user name into a SID.
Redirect the output to a text file.
- When you encounter a SID, search the text file (created previously)
for that SID. This will place you on the line with the user's name.
Logon Type
"Logon Type" will be one of the following:
2 Interactive
3 Network
4 Batch
5 Service
6 Proxy
7 Unlock Workstation
(0 & 1 are invalid)
Logon Process
"Logon Process" will be one of the following:
"msv1_0" or "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0":
msv1_0.dll, the default authentication package
"KSecDD":
ksecdd.sys, the security device driver
"User32" or "WinLogon\MSGina":
winlogon.exe & msgina.dll, the authentication user interface
"SCMgr":
The Service Control Manager
"LAN Manager Workstation Service"
"advapi"
API call to LogonUser
"MS.RADIU":
The RADIUS authentication package; a part of the Microsoft Internet
Authentication Services (IAS).
User Rights
For more detail on user rights, please see the following Microsoft
Knowledge Base article:
ARTICLE-ID: Q101366
TITLE : Definition and List of Windows NT Advanced User Right
For more information on auditing user right changes, please see the
following Microsoft Knowledge Base article:
ARTICLE-ID: Q163905
TITLE : Auditing User Right Assignment Changes
Supplemental Information
For more information on user authentication, please see the following
Microsoft Knowledge Base article:
ARTICLE-ID: Q102716
TITLE : User Authentication with Windows NT
For more information on authentication on networks, see:
ARTICLE-ID: Q122422
TITLE : Example of Remote Logon with Windows NT Server
Additional query words:
secevent sec
Keywords : ntdomain ntsecurity NTSrv
Version : winnt:3.5,3.51,4.0
Platform : winnt
Issue type : kbinfo