Event on DCs when unknown password is used Expand / Collapse
Author
Message
Posted 9/16/2009 9:47:22 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/16/2009 9:43:41 AM
Posts: 2, Visits: 1
Randy,

I want to document the use of wrong password during the try-to-logon-process initiated on a Member Server (or Client Computer) when the user uses its domain account. I thought, that 529 will be logged on security event log on DC but it isn't so. Could you please tell me how I will be able to document the occurence of wrong password while a users is trying to log on at a member server or workstation with his domain account?

Thanks in advance.

Alex

Post #212
Posted 9/16/2009 10:04:18 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
It's the difference between authentication and logon.  when you are at a workstation and you logon with a domain account you are logging into the workstation - not the domain or domain controller.  The domain controller is authenticating you.  Therefore you need to look at the authentication events which are found in the Account Logon audit category (policy name "Audit account logon events") - not the Logon/Logoff category (policy name "Audit logon events").

Confusing, I know.  For more information, I suggest my recorded webinar Understanding Authentication Events in the Windows 2003 and 2008 Security Logs and of course my Resource Kits

Post #213
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 4:48am