Where Are Active Directory Security Logs?

Simple question: I recently set up a Windows 2000 Active Directory for a small office.  It has worked well except for a couple of user accounts that got locked out for unknown reasons.  My policy allows up to 5 bad logins within an hour before locking out an account and nobody remembers typing bad passwords.  (Nobody ever does...  :-)  )  Anyway, back in the old days of Win NT 4, I would just go to the event log on the domain controller and see when the bad logins occurred.  On Win2k, however, I'm not seeing anything relating to AD logins on the event log.  I'm pretty sure I have auditing turned on for all of the appropriate AD events.  Where would I look for logs of these AD events?

--> Daryl Shockey
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Pete LongConnect With a Mentor Technical ConsultantCommented:
As you should be looking in the Event Log Security? are you sure the policy is applied?

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\


Open Active Directory Users and Computers.
In the console tree, right-click the domain or organizational unit for which you want to set Group Policy.
Click Properties, and then click the Group Policy tab.
Click Edit to open the Group Policy object (GPO) that you want to edit. You can also click New to create a new GPO, and then click Edit.
In the console tree, click Audit Policy.

Computer Configuration
Windows Settings
Security Settings
Local Policies
Audit Policy
In the details pane, double-click an event category that you want to change the auditing policy settings for.
If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.
Do one or both of the following, and then click OK.
To audit successful attempts, select the Success check box.
To audit unsuccessful attempts, select the Failure check box.

Logon Events
Event ID Description
528 A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
529 Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
530 Logon failure. A logon attempt was made user account tried to log on outside of the allowed time.
531 Logon failure. A logon attempt was made using a disabled account.
532 Logon failure. A logon attempt was made using an expired account.
533 Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.
534 Logon failure. The user attempted to log on with a type that is not allowed.
535 Logon failure. The password for the specified account has expired.
536 Logon failure. The Net Logon service is not active.
537 Logon failure. The logon attempt failed for other reasons.
Note: In some cases, the reason for the logon failure may not be known.
538 The logoff process was completed for a user.
539 Logon failure. The account was locked out at the time the logon attempt was made.
540 A user successfully logged on to a network.
541 Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel.
542 A data channel was terminated.
543 Main mode was terminated.
Note: This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, or peer termination.
544 Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.
545 Main mode authentication failed because of a Kerberos Kerberos
An authentication mechanism used to verify user or host identity. The Kerberos V5 authentication protocol is the default authentication service. Internet Protocol security (IPSec) can use the Kerberos protocol for authentication.failure or a password that is not valid.
546 IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.
547 A failure occurred during an IKE handshake handshake
A series of signals acknowledging that communication can take place between computers or other devices. A hardware handshake is an exchange of signals over specific wires (other than the data wires), in which each device indicates its readiness to send or receive data. A software handshake consists of signals transmitted over the same wires used to transfer data, as in modem-to-modem communications over telephone lines..
548 Logon failure. The security ID (SID) security ID (SID)
A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account's SID rather than the account's user or group name.from a trusted domain does not match the account domain SID of the client.  
549 Logon failure. All SIDs corresponding to untrusted namespaces namespaces
A naming convention that defines a set of unique names for resources in a network. For DNS, a hierarchical naming structure that identifies each network resource and its place in the hierarchy of the . For WINS, a flat naming structure that identifies each network resource using a single, unique name.were filtered out during an authentication across forests.
550 Notification message that could indicate a possible denial-of-service attack denial-of-service attack
An attack in which an attacker exploits a weakness or a design limitation of a network service to overload or halt the service, so that the service is not available for use. This type of attack is typically started to prevent other users from using a network service such as a Web server or a file server..
551 A user initiated the logoff process.
552 A user successfully logged on to a computer using explicit credentials while already logged on as a different user.
682 A user has reconnected to a disconnected terminal server session.
683 A user disconnected a terminal server session without logging off.
Note: This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.
When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type. Logon type Logon title Description
2 Interactive A user logged on to this computer.
3 Network A user or computer logged on to this computer from the network.
4 Batch Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5 Service A service was started by the Service Control Manager.
7 Unlock This workstation was unlocked.
8 NetworkCleartext A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).  
9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.
11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

>"Nobody ever does...  "

Maybe you are being troubled by virus/spyware/trojans/backdoors ??? Test and remove !!!

Protect yourself with a solid solution

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open
Use this free online Trend Housecall scanner to find and clean every known virus/rootkits/backdoors:

Some viruses can't be removed by housecall. If so, use the free Trend Micro system cleaner:

If you get's an ActiveX error, when loading the HouseCall web page:

If you want to secure your company's workstations in the future, consider to purchase OfficeScan:

If you can afford it, you can get an url-scanning engine installed on a server with workstation, server-, email and url-scanning engine from

Virus Information Alliance (VIA)

Review of the best antivirus solutions:

SoftScan puts an end to virus and spam threats from the Internet
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

Getting a personal Firewall

Download the free version of Sygate personal firewall

Download the free version of ZoneAlarm firewall

Comparative reviews of personal firewall software:

Firewall Product Selector - Choose yourself which one to compare

The Internet Connection Firewall Can Prevent Browsing and File Sharing

Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:

SpyFerret detects & removes spyware

Bazooka Adware and Spyware Scanner v1.13.01

Automatic check of your browser for parasites, adware and spyware
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://pestpatrol.com/Support/About/About_Ports_And_Trojans.asp - portlist

List of known Trojan/Backdoors and the TCP/UDP ports on which they operate

Internet Storm Center - Input portnumber and press GO

IPEye is a freeware TCP port scanner
Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.

Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!

How to recover an already compromised system, visit the CERT Coordination Center:

Also remember to patch up with latest hotfixes...

About Windows Update (SUS)

Download and install Microsofts automatic update server (also known as SUS)
dshockeyAuthor Commented:
I just checked and auditing for success and failure of both "Account Logon" and "Logon" is turned on at all levels:
  - Local Security Policy
  - Domain Security Policy
  - Domain Controller Security Policy
  - Group Policy for organizational unit in which all users exist

When I run the event viewer (eventvwr) on the AD domain controller, I do not see *any* entries in the Security Log.  All other logs have entries in them.

--> Daryl Shockey
dshockeyAuthor Commented:
I'm borderline psychotic about keeping up-to-date with service packs and hotfixes.  While I certainly won't dismiss the possibility of it being a virus/trojan horse, the fact remains that I have no way of determining which machine contains the offending program because I have no log of when or where the bad login attempt occurred.

--> Daryl Shockey
dshockeyAuthor Commented:
I spoke too soon earlier.  It turns out that I am now getting audit trails which I didn't get earlier.  I'm not sure which setting worked (since I modified a few at the same time).  But I can figure that part out now.

Thanx Petelong!

trywaredk:  These are supposed to be meaningful dialogues.  Your comment about the possiblity of it being a virus or trojan horse was good.  The *really* extensive list of links that followed was not and would only frustrate somebody trying to enter into this thread.  Please don't bomb threads with url lists like this.  Make a web page that has all of these links and post one url to that web page.

--> Daryl Shockey
Pete LongTechnical ConsultantCommented:
Thanks Daryl Glad You got there (Even if your not sure how)

>"Make a web page that has all of these links and post one url to that web page"

:o) What a great idea - thank you

BTW: DSHOCKEY - Please comment here:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.