unable to find failed logins

Windows Server 2008 R2 sp1

we are required to audit logons specially failed logon attempts. so i enable the following in GPO:

for testing, i intentionally tried to login with wrong passwords. then i checked the DC event viewer. only thing i could find there are event IDs 4634 (Logoff), 4678 (some Kerberos service), 4768 (some Kerberos audit failure), and 4624 (Logon).

how to find or catch failed logon attempts then?

August 31st, 2015 2:33pm

Hi,

Thanks for your post.

Have you tried to run gpupdate /force before doing the test?

Do this on the "Default Domain Controller" Policy to apply to the DC's? You need to edit on Default Domain Controller policy, otherwise you need to create new GPO and link it to the Domain Controllers OU.

And for event 4768, when a user logs on at a workstation with their domain account, the workstation contacts domain controller via Kerberos and requests a ticket granting ticket.  If the user fails authentication, the domain controllers logs event ID 4771 or an audit failure instance 4768. 

If the users credentials authentication checks out, the domain controller creates a TGT, sends that ticket back to the workstation, and logs event ID 4768.

If authentication succeeds and the domain controller sends back a TGT, the workstation creates a logon session and logs event ID 4624 to the local security log

Please check the following articles:

Audit Kerberos Authentication Service

https://technet.microsoft.com/en-us/library/Dd772702%28v=WS.10%29.aspx?f=255&MSPPError=-2147217396

Following a Users Logon Tracks throughout the Windows Domain

http://www.eventtracker.com/newsletters/following-a-users-logon-tracks-throughout-the-windows-domain/

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,

Mary Dong

Free Windows Admin Tool Kit Click here and download it now
September 1st, 2015 5:57am
Here is another informative article that should worth reading for you : http://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/
September 2nd, 2015 10:21am

"If the user fails authentication, the domain controllers logs event ID 4771 or an audit failure instance 4768.  The result code in either event specifies the reason for why authentication failed"

in event ID 4771, how do you interpret the result code? i need to know if it's password failure or something else.

Free Windows Admin Tool Kit Click here and download it now
September 6th, 2015 2:51am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics