Registrations are now open. Join us today!
There is still a lot of work to do on the wiki yet! More information about editing can be found here.
Already have an account?

Microsoft KB Archive/172402

From BetaArchive Wiki
Knowledge Base

Auditing Logon Failures Does Not Log Remote Failures

Article ID: 172402

Article Last Modified on 11/1/2006


  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0 Standard Edition

This article was previously published under Q172402


When auditing logon and logoff failures on a Domain Controller, not all expected failure audit event messages are recorded in the Security Event Log of a domain controller.


This behavior may occur if a user does not log on to a member Windows NT workstation or server by using an account that has domain credentials. In this case, the local Security Log records an Event 529 (Logon Failure) event message. There is no failure audit recorded on a domain controller when the domain user's logon does not succeed. The account may be locked out if configured to do so, but no event message is recorded.


You cannot force the domain controllers to log this failure audit. However there is an event message to audit the locking of an account on a domain controller. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

182918 Account Lockout Event Also Stored in Security Event Log on Domain Controller

For additional information about how to track the failed logon attempts on each workstation and member server, click the following article number to view the article in the Microsoft Knowledge Base:

171148 Automating Detection of Logon Failures in a Windows NT Domain


Microsoft has confirmed that this is a problem in Windows NT 3.51 and Windows NT 4.0. Microsoft is researching this problem and will post more information in this article when the information becomes available.

Additional query words: 4.00 usrmgr audit use r account lockout

Keywords: kbnetwork KB172402