Does the ADS store loggin attempts failure and success?

Posted on 2007-09-28
Last Modified: 2010-04-18

Doe the Active Directory store the failures and success of all machines in the Domain.
Is there any way i can get the details of a single machine to a file?
Where should i check for it.

Question by:bsharath
    LVL 58

    Accepted Solution

    Hi Sharath,

    It depends on how you have your auditing set in the Default Domain Controllers GPO (or in another GPO if you've changed the settings) (Computer Config > Windows Settings > Security Settings > Local Policies > Audit Policies)

    For example, if you have "Audit account logon events" or "Audit logon events" set to both Success and Failure, then those events will be recorded. However they are recorded in the Security event log of the domain controller and you will need to examine that for further information.

    Since the computer which the users are authenticating against is the DC, there isn't a way to retrieve it for one specific user. The computer name which appears by the event is the DC's name, the user name is the SYSTEM account. The information (i.e. username and client IP address) is stored in the comments field - you would need to get some sort of program which can search the comments field for the workstation's IP address you want to find events for.

    Note that if your auditing isn't turned on now, then after you turn it on you can't go back and look at the events before it was switched on; events will only be recorded from the time you switch on and do a gpupdate /force on your DC(s).

    LVL 58

    Expert Comment

    I guess you would need to purchase or download an event viewing package with advanced filtering options to pull the events with the specific IP address in the comment field - your post here covers that: http:Q_22861089.html

    LVL 70

    Assisted Solution

    These events are not stored in active directory but in event logs - the security log to be precise.
    You can export the security log Administative Tools->Event Viewer->Security Log and select SAVE AS.

    Many people like save as a csv file on a regular basis and import into speadsheets or databases to keep a permanent record and to analyse the logs.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now