Article ID: 171148
Article Last Modified on 11/1/2006
APPLIES TO
- Microsoft Windows NT Workstation 3.5
- Microsoft Windows NT Workstation 3.51
- Microsoft Windows NT Workstation 4.0 Developer Edition
- Microsoft Windows NT Server 3.5
- Microsoft Windows NT Server 3.51
- Microsoft Windows NT Server 4.0 Standard Edition
This article was previously published under Q171148
SUMMARY
Detecting logon failures or account lockouts in a Windows NT domain with multiple domain controllers and trusting domains may be difficult. To do this manually would require the administrator to load the security event log of the domain controllers, member servers, workstations, and set the filter to find the logon failure events.
MORE INFORMATION
Use the Dumpel.exe utility from the Windows NT Resource Kit to enable the domain administrator to automate this procedure.
By creating a simple batch file to query the security event log of all of your Windows NT-based systems, you can quickly automate the process. The logon failure events are only recorded in the log of the resource that denied access to the user.
To automate this procedure, perform the following steps:
- Install the Windows NT 4.0 Resource Kit.
- For each domain, create a batch file that dumps the event logs of each domain member to a text file, filtering the log only on failure event IDs, as in the following example:
@echo off
Dumpel.exe -s pdcname -l security -m security -e 529 539 > %temp%\event539.txt
Dumpel.exe -s bdc1name -l security -m security -e 529 539 >> %temp%\event539.txt
Dumpel.exe -s bdc2name -l security -m security -e 529 539 >> %temp%\event539.txt
Dumpel.exe -s bdc3name -l security -m security -e 529 539 >> %temp%\event539.txt
Dumpel.exe -s memberserver1name -l security -m security -e 529 539 >> %temp%\event539.txt
Dumpel.exe -s workstation1name -l security -m security -e 529 539 >> %temp%\event539.txt - This will append all Event 529s and Event 539s to the event539.txt file to be examined for log on problems.
Common causes for invalid logon events:
- Forgotten passwords, someone is entering the wrong password.
- An unauthorized individual is trying to gain access to the network.
- There is a persistent network connection with an invalid password.
- There is a service using a user account with an invalid password.
- Trust relationship has been broken.
On Service Pack 4 (SP4) and later domain controllers, event 644 can be configured to mark an account lockout. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
182918 Account Lockout Event also Stored in Security Event Log on DC
Additional query words: hacker ntreskit log logins lockout
Keywords: kbtshoot KB171148