What event ID captures *bad* logon events in Windows 2008
We have a Windows 2003 domain with several 2008 domain controllers. I am writing to script to capture bad logon events - this is straight forward on a 2003 DC - I just pull event ID 529. But it seems 2008 does not use the same event ID for bad logon events. I logged into one of my 2008 DCs and did a search for ID 529, and there is nothing (which is not really accurate because we get atleast one locked user every week). So I figure that 2008 has changed the way it captures bad logon events. Can anyone advice what event ID captures bad logon attempts in 2008? Thanks. PS - my domain is still 2003.
October 5th, 2010 7:48pm

Hi, Can you find any Event 4625 logged on the Windows Server 2008 DC? If not, have you enabled the logon auditing on the server? Subcategory: Logon Collapse this tableExpand this table ID Message 4624 An account was successfully logged on. 4625 An account failed to log on. 4648 A logon was attempted using explicit credentials. 4675 SIDs were filtered. Description of security events in Windows Vista and in Windows Server 2008 http://support.microsoft.com/kb/947226
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2010 2:30am

Thanks Miles. I went by the above documentation and searched for event 4625 and found 6 of them. BUT they contain no account name, no domain name, they dont contain much useful info. In fact for username it listed as NULL SID. Basically those events didn't make much sense (I listed one of these below) So then I tried filtering by Audit failures, and found some event IDs that looked to provide what I'm looking for - users who could not login. The event ID that picks up this info is 4776 (of the category "Credential Validation"). These events lists the user who tried to login but failed. But the way MS has documented it, you would never know this is the event that captures login failure. I wonder if there are other such events that I should also look for. ****************** Time Generated : Time Written : Type : Audit Failure User Name : Category : 12544 Category String : Event Code : Event Identifier : Type Event : Insertion Strings : Log File : Message : An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Account Domain: Failure Information: Failure Reason: An Error occured during Logon. Status: 0xc000006d Sub Status: 0xc0000133 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.35.184 Source Port: 3818 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is g enerated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Win logon.exe or Services.exe. The Logon Type field indicates the kind of logon that was r equested. The most common types are 2 (interactive) and 3 ( network). The Process Information fields indicate which account and p rocess on the system requested the logon. The Network Information fields indicate where a remote logo n request originated. Workstation name is not always availa ble and may be left blank in some cases. The authentication information fields provide detailed info rmation about this specific logon request. - Transited services indicate which intermediate servic es have participated in this logon request. - Package name indicates which sub-protocol was used am ong the NTLM protocols. - Key length indicates the length of the generated sess ion key. This will be 0 if no session key was requested.
October 6th, 2010 5:35pm

I've a lot of logon events 4624 with "NULL SID" as securityID. This makes not sense to me, what is? thnaks
Free Windows Admin Tool Kit Click here and download it now
November 15th, 2010 6:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics