Auditing Logon Events



Barry
07-09-2005, 11:52 PM
Hi,
I am having some trouble with the account lockout policy on my W2K3 Domain
with W2K clients.
I have a policy which says accounts should be locked out after 4
unsuccessful logon attemps and am finding that our users are often locked out
of their accounts without having entered an incorrect password even once.
I would like to audit the un-successful logon attempts on the Domain to
determine why the accounts are being locked but am led to believe that this
can only be done on each local computer and there is no centralised log for
monitoring Domain logons.
Can you clarify this for me and maybe direct me on how I might determine why
the accounts are being locked.

Roger Abell
07-09-2005, 11:52 PM
You should search the MS website as they, late last year if I am remembering
correctly, released a set of tools and guidance for troubleshooting account
lockout. Have you done a search yet at the support.microsoft.com site, as
it
is likely "account lockout" would pull it up for you also.
See the linked-to mentioned in :
http://support.microsoft.com/default.aspx?scid=kb;en-us;315585
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Barry" <Barry@discussions.microsoft.com> wrote in message
news:601BB23D-A85A-4DA5-88A0-3AD0DD11E224@microsoft.com...
> Hi,
> I am having some trouble with the account lockout policy on my W2K3 Domain
> with W2K clients.
> I have a policy which says accounts should be locked out after 4
> unsuccessful logon attemps and am finding that our users are often locked
out
> of their accounts without having entered an incorrect password even once.
> I would like to audit the un-successful logon attempts on the Domain to
> determine why the accounts are being locked but am led to believe that
this
> can only be done on each local computer and there is no centralised log
for
> monitoring Domain logons.
> Can you clarify this for me and maybe direct me on how I might determine
why
> the accounts are being locked.

Barry
07-09-2005, 11:53 PM
Thanks Roger, I've downloaded the tools and will attempt to track down the
cause of the problem using these.
Thanks for you input.

"Roger Abell" wrote:

> You should search the MS website as they, late last year if I am remembering
> correctly, released a set of tools and guidance for troubleshooting account
> lockout. Have you done a search yet at the support.microsoft.com site, as
> it
> is likely "account lockout" would pull it up for you also.
> See the linked-to mentioned in :
> http://support.microsoft.com/default.aspx?scid=kb;en-us;315585
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Barry" <Barry@discussions.microsoft.com> wrote in message
> news:601BB23D-A85A-4DA5-88A0-3AD0DD11E224@microsoft.com...
> > Hi,
> > I am having some trouble with the account lockout policy on my W2K3 Domain
> > with W2K clients.
> > I have a policy which says accounts should be locked out after 4
> > unsuccessful logon attemps and am finding that our users are often locked
> out
> > of their accounts without having entered an incorrect password even once.
> > I would like to audit the un-successful logon attempts on the Domain to
> > determine why the accounts are being locked but am led to believe that
> this
> > can only be done on each local computer and there is no centralised log
> for
> > monitoring Domain logons.
> > Can you clarify this for me and maybe direct me on how I might determine
> why
> > the accounts are being locked.
>
>
>


Auditing Logon Events