Access Denied: Identifying Logon Attempts That Use Disabled Accounts

In the Security log, which events identify attempts to log on with a disabled account?

Event ID 531, event ID 676 with failure code 0x12, and event ID 681 with error code 3221225586all indicate that someone tried to log on with a disabled account. Which event is logged depends on which versions of Windows you're using; whether you're using a domain or local account; whether you're looking at the log of a domain controller (DC), a server, or a workstation; and the computer's audit policy.

Event ID 531, which Web Figure 1 (http://www.winnetmag.com, InstantDoc ID 41276) shows, is part of the Audit logon events audit category. The Audit logon events category records attempts to log on to the local computer. For example, when you log on to your workstation's console, you generate one or more audit logon events in your workstation's Security log. When you access a shared resource on another computer on the network (e.g., map a drive to a shared folder on a file server), you generate audit logon events on that other computer regardless of whether you're using a local or domain account.

Don't confuse theAudit logon events audit category with the Audit account logon events category. You generate events in the Audit account logon events category on the computer that actually authenticates your username and password—in other words, on the computer on which the account that you're using resides. For example, when you log on to your workstation with a local user account in the workstation's SAM, you'll generate audit account logon events on that workstation. When you use a domain account to log on to the workstation, you generate audit account logon events on the DC that authenticates you. When you access a server over the network, you generate audit account logon events on the local server if you're using one of the server's local accounts, such as Administrator, to log on. But if you're using a domain account to log on, you generate audit account logon events on the DC.

Event ID 676, which Web Figure 2 shows, is a Kerberos event, whereas event ID 681 reflects the NT LAN Manager (NTLM) authentication protocol. Windows typically uses Kerberos for authentication, so you'll see event ID 676 on the DC when someone tries to log on with a disabled Active Directory (AD) domain account.

However, Windows can use Kerberos only when the account is an AD domain account and all the computers involved in the logon (i.e., a workstation, a DC, and possibly a server) run Windows 2000 or later and are in the same AD forest. If the user is using a local SAM account or if one of the computers involved in the logon is pre-Win2K or not part of your forest, Windows falls back on NTLM authentication. In that case, the DC logs event ID 681 when someone tries to log on with a disabled account. Because local accounts are always authenticated using NTLM, Windows also logs event ID 681 when a user tries to log on with a disabled local account from the SAM of a workstation or server.

Note that Kerberos events, such as event ID 676, include the IP address of the computer from which the user tried to log on. This information might help you track down security incidents.