DOCUMENT:Q189541 06-AUG-2002 [crossnet] TITLE :Using the Checked Netlogon.dll to Track Account Lockouts PRODUCT :Windows for Workgroups and Windows NT Networking Issues PROD/VER::4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0 - Microsoft Windows NT Server, Enterprise Edition version 4.0 - Microsoft Windows 98 - Microsoft Windows 95 ------------------------------------------------------------------------------- IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: Q256986 Description of the Microsoft Windows Registry SUMMARY ======= Account lockouts can be very difficult to track for several reasons. One reason is that the bad password attempts are only recorded on the domain controller that processed the logon attempt (this is for Microsoft Windows 95-based and Microsoft Windows 98-based clients). Another problem is that, because Microsoft Windows NT-based clients are capable of recording the information locally, a log entry is not recorded on any domain controller. MORE INFORMATION ================ WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. A relatively easy way to track bad password attempts in a domain is to install the checked build of Netlogon.dll on the primary domain controller (PDC). This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts, for both Windows NT-based and Windows 95-based clients. The checked build of Netlogon.dll can be obtained from Microsoft Technical Support and also in the Microsoft Driver Development Kit (DDK). To install the checked build of Netlogon.dll on Windows NT 4.0: 1. Go to the folder. 2. Rename Netlogon.dll to Netlogon.fre. 3. Copy the checked version of Netlogon.dll to the folder. 4. Start Regedt32, and then locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon \Parameters\DBFlag 5. Change the DBFlag value to 0x4. NOTE: Setting DBFlag to 0x4 only records logon processing. Setting it to 0x20000004 records the time stamp in addition to the logon event. 6. Quit Regedt32. 7. Restart the server. 8. Confirm that the debug directory was created under the folder and contains a Netlogon.log file. Examples -------- In the examples below: PORSCHE\example = User Account TARGA = BDC 928S4 = Windows NT Workstation 928WIN95 = Windows 95 911Turbo = PDC Different clients log different messages. Windows NT Workstation: [LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via TARGA) Entered [LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via TARGA) Returns 0xC000006A [LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via TARGA) Entered [LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via TARGA) Returns 0xC0000234 In the above example, you can see where you try to log on, are unsuccessful with a bad password, try to log on again, and then are unsuccessful with a locked out account. The only difference with Windows 95 and Windows 98 is the omission of the domain name: [LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via TARGA) Entered [LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via TARGA) Returns 0xC000006A [LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via TARGA) Entered [LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via TARGA) Returns 0xC0000234 A successful account logon can resemble: [LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 Entered [LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 Returns 0x0 [LOGON] NetrLogonUasLogon of EXAMPLE from 928WIN95 returns 0 The errors you most likely receive are: 0xC0000234 User logon with Account Locked 0xC000006A User logon with Misspelled or bad Password 0xC0000072 User logon to account disabled by Administrator 0xC0000193 User logon with Expired Account 0xC0000070 User logon from unauthorized workstation 0xC000006F User logon Outside authorized hours 0xC0000224 User logon with "Change Password at Next Logon" flagged 0xC0000071 User logon with Expired Password 0xC0000064 User logon with Misspelled or Bad User Account To track user account lockouts, only the 234 and 6A errors are important to us. NOTE: These errors are only a partial listing. Ntstatus.h has all the 0xcxxxxxxx listings. After the workstation that has been sending the bad passwords has been identified, the workstation can be configured correctly or the user can be informed of the correct password. Additional query words: pass thru through authentication ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNT400search kbWinNTSsearch kbWinNTSEntSearch kbWinNTSEnt400 kbWinNTS400search kbWinNTS400 kbWin95search kbWin98search kbZNotKeyword3 kbWin98 Version : :4.0 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.