Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
JSI Tip 0701 - How do I track account lockout/bad password logon attemps?
Jerold Schulman
September 3, 1998
1 Min Read
It is very difficult to track these as non Windows NT clients are recorded in the event log of the domain controller that attemps to validate the account and Windows NT logon attempts are recorded locally.
You can install the Netlogon.dll from the checked build of Service Pack 3 on your PDC to create a log file for all attemps.
After downloading the checked build of the service pack, extract (SP_Name.exe /x) the Netlogon.dll.
Navigate to the %SystemRoot%System32 folder and rename Netlogon.dll to Netlogon.fre.
Copy the checked version of Netlogon.dll to the %SystemRoot%System32 folder. Edit:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParametersDBFlag
and change DBFlag to 0x04 to record the logon or to 0x20000004 to record the logon and a time stamp.
Shutdown and restart the PDC.
Confirm you have a %SystemRoot%Debug folder that contains a Netlogon.log file.The error codes in the log file are:
Error Code | M e a n i n g |
|---|---|
0xC0000234 | User logon with Account Locked. |
0xC000006A | User logon with Misspelled or bad Password. |
0xC0000072 | User logon to account disabled by Administrator. |
0xC0000193 | User logon with Expired Account. |
0xC0000070 | User logon from unauthorized workstation. |
0xC000006F | User logon Outside authorized hours. |
0xC0000224 | User logon with "Change Password at Next Logon" flagged. |
0xC0000071 | User logon with Expired Password. |
0xC0000064 | User logon with Misspelled or Bad User Account. |
Only the 0xC0000234 and 0xC000006A entries are important for account lockouts.
About the Author
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
