What event ID captures *bad* logon events in Windows 2008
We have a Windows 2003 domain with several 2008 domain controllers. I am writing to script to capture bad logon events - this is straight forward on a 2003 DC - I just pull event ID 529. But it seems 2008 does not use the same event ID for bad logon events.
I logged into one of my 2008 DCs and did a search for ID 529, and there is nothing (which is not really accurate because we get atleast one locked user every week). So I figure that 2008 has changed the way it captures bad logon events. Can anyone advice what
event ID captures bad logon attempts in 2008? Thanks.
PS - my domain is still 2003.
October 5th, 2010 7:48pm
Hi,
Can you find any Event 4625 logged on the Windows Server 2008 DC? If not, have you enabled the logon auditing on the server?
Subcategory: Logon
Collapse this tableExpand this table
ID
Message
4624
An account was successfully logged on.
4625
An account failed to log on.
4648
A logon was attempted using explicit credentials.
4675
SIDs were filtered.
Description of security events in Windows Vista and in Windows Server 2008
http://support.microsoft.com/kb/947226
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2010 2:30am
Thanks Miles. I went by the above documentation and searched for event 4625 and found 6 of them. BUT they contain no account name, no domain name, they dont contain much useful info. In fact for username it listed as NULL SID. Basically those events didn't
make much sense (I listed one of these below)
So then I tried filtering by Audit failures, and found some event IDs that looked to provide what I'm looking for - users who could not login. The event ID that picks up this info is 4776 (of the category "Credential Validation"). These events lists the
user who tried to login but failed. But the way MS has documented it, you would never know this is the event that captures login failure.
I wonder if there are other such events that I should also look for.
******************
Time Generated :
Time Written :
Type : Audit Failure
User Name :
Category : 12544
Category String :
Event Code :
Event Identifier :
Type Event :
Insertion Strings :
Log File :
Message : An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006d
Sub Status: 0xc0000133
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 192.168.35.184
Source Port: 3818
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is g
enerated on the computer where access was attempted.
The Subject fields indicate the account on the local system
which requested the logon. This is most commonly a service
such as the Server service, or a local process such as Win
logon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was r
equested. The most common types are 2 (interactive) and 3 (
network).
The Process Information fields indicate which account and p
rocess on the system requested the logon.
The Network Information fields indicate where a remote logo
n request originated. Workstation name is not always availa
ble and may be left blank in some cases.
The authentication information fields provide detailed info
rmation about this specific logon request.
- Transited services indicate which intermediate servic
es have participated in this logon request.
- Package name indicates which sub-protocol was used am
ong the NTLM protocols.
- Key length indicates the length of the generated sess
ion key. This will be 0 if no session key was requested.
October 6th, 2010 5:35pm
I've a lot of logon events 4624 with "NULL SID" as securityID. This makes not sense to me, what is?
thnaks
Free Windows Admin Tool Kit Click here and download it now
November 15th, 2010 6:18am