Does the ADS store loggin attempts failure and success?

Posted on 2007-09-28
Medium Priority
Last Modified: 2010-04-18

Doe the Active Directory store the failures and success of all machines in the Domain.
Is there any way i can get the details of a single machine to a file?
Where should i check for it.

Question by:bsharath
  • 2
LVL 58

Accepted Solution

tigermatt earned 1600 total points
ID: 19983417
Hi Sharath,

It depends on how you have your auditing set in the Default Domain Controllers GPO (or in another GPO if you've changed the settings) (Computer Config > Windows Settings > Security Settings > Local Policies > Audit Policies)

For example, if you have "Audit account logon events" or "Audit logon events" set to both Success and Failure, then those events will be recorded. However they are recorded in the Security event log of the domain controller and you will need to examine that for further information.

Since the computer which the users are authenticating against is the DC, there isn't a way to retrieve it for one specific user. The computer name which appears by the event is the DC's name, the user name is the SYSTEM account. The information (i.e. username and client IP address) is stored in the comments field - you would need to get some sort of program which can search the comments field for the workstation's IP address you want to find events for.

Note that if your auditing isn't turned on now, then after you turn it on you can't go back and look at the events before it was switched on; events will only be recorded from the time you switch on and do a gpupdate /force on your DC(s).

LVL 58

Expert Comment

ID: 19983419
I guess you would need to purchase or download an event viewing package with advanced filtering options to pull the events with the specific IP address in the comment field - your post here covers that: http:Q_22861089.html

LVL 70

Assisted Solution

KCTS earned 400 total points
ID: 19983434
These events are not stored in active directory but in event logs - the security log to be precise.
You can export the security log Administative Tools->Event Viewer->Security Log and select SAVE AS.

Many people like save as a csv file on a regular basis and import into speadsheets or databases to keep a permanent record and to analyse the logs.

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question