Microsoft KB Archive/172402

From BetaArchive Wiki
Knowledge Base


Auditing Logon Failures Does Not Log Remote Failures

Article ID: 172402

Article Last Modified on 11/1/2006



APPLIES TO

  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0 Standard Edition



This article was previously published under Q172402

SYMPTOMS

When auditing logon and logoff failures on a Domain Controller, not all expected failure audit event messages are recorded in the Security Event Log of a domain controller.

CAUSE

This behavior may occur if a user does not log on to a member Windows NT workstation or server by using an account that has domain credentials. In this case, the local Security Log records an Event 529 (Logon Failure) event message. There is no failure audit recorded on a domain controller when the domain user's logon does not succeed. The account may be locked out if configured to do so, but no event message is recorded.

RESOLUTION

You cannot force the domain controllers to log this failure audit. However there is an event message to audit the locking of an account on a domain controller. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

182918 Account Lockout Event Also Stored in Security Event Log on Domain Controller


For additional information about how to track the failed logon attempts on each workstation and member server, click the following article number to view the article in the Microsoft Knowledge Base:

171148 Automating Detection of Logon Failures in a Windows NT Domain


STATUS

Microsoft has confirmed that this is a problem in Windows NT 3.51 and Windows NT 4.0. Microsoft is researching this problem and will post more information in this article when the information becomes available.


Additional query words: 4.00 usrmgr audit use r account lockout

Keywords: kbnetwork KB172402