Auditing Logon Failures Does Not Log Remote Failures (172402)
The information in this article applies to:
- Microsoft Windows NT Server 3.51
- Microsoft Windows NT Server 4.0
This article was previously published under Q172402 SYMPTOMSWhen auditing logon and logoff failures on a Domain
Controller, not all expected failure audit event messages are recorded in the
Security Event Log of a domain controller.CAUSEThis behavior may occur if a user does not log on to a
member Windows NT workstation or server by using an account that has domain
credentials. In this case, the local Security Log records an Event 529 (Logon
Failure) event message. There is no failure audit recorded on a domain
controller when the domain user's logon does not succeed. The account may be
locked out if configured to do so, but no event message is
recorded.RESOLUTIONYou cannot force the domain controllers to log this failure
audit. However there is an event message to audit the locking of an account on
a domain controller.
For additional
information, click the following article number to view the article in the
Microsoft Knowledge Base: 182918
Account Lockout Event Also Stored in Security Event Log on Domain Controller
For additional information about how to track the failed
logon attempts on each workstation and member server, click the following
article number to view the article in the Microsoft Knowledge Base: 171148
Automating Detection of Logon Failures in a Windows NT
Domain
STATUS Microsoft has confirmed
that this is a problem in Windows NT 3.51 and Windows NT 4.0.
Microsoft is researching this problem and will post more information in this
article when the information becomes available.
| Modification Type: | Major | Last Reviewed: | 12/26/2002 |
|---|
| Keywords: | kbnetwork KB172402 |
|---|
|