Win2K3 Authentication Log?

Posted on 2009-04-30
Last Modified: 2012-05-06
1) Are there logs for failed authentication (or all authentication)?
2) If yes, where?
3) Would the same log cover VPN connections and OWA?
Question by:HilltownHealthCenter
    LVL 19

    Expert Comment

    If you check the event logs (security log I think) on the domain controller, you should see something there. I can't remember default settings, I know it doesn't show all authentication success and failure by default, as you would need to enable success and failure auditing manually, but I have a feeling that by default it logs log on failure events...

    Take a look at the audit policy on the DCs, see what it's set to... Or just look through the sec logs on the DC, see what you can find.

    Details here - (logon types, event IDs etc) -

    Author Comment

    The security properties filter has all 5 types of event checked (success, failure, etc.).  I tried the following test:

    Cleared the security events viewer
    Logged off the DC
    Attempted to log into the DC using bad PW (failed, 4 time sequentially)
    Logged into the DC using the correct PW
    Checked the Security Event log.

    There are only successes listed in the log, no records of failure.
    LVL 19

    Accepted Solution

    Very sorry, this question got lost and I've only just spotted it again.

    What you said above is correct - It doesn't matter what the security filter says, as unless the events are audited in the first place, they won't show up in the logs regardless of the filter settings.

    You can find the auditing policy settings within the group policy management console - You need to find the 'Default Domain Controller' policy, and look at the settings for:

    Computer Config > Windows Settings > Security Settings > Local Policies/Audit Policy

    This is where it's specified what the DCs will actually audit. Specifically you want to look at the setting for Logon Events, and ensure success, failure etc etc is selected. Once this is done, the DCs will actually start auditing these events, and then you will be able to view them in the Security log on the DCs. :)

    Again, I'm very sorry about the delayed response, I'll be monitoring this carefully now for any further questions...


    Author Comment

    Thanks for the additional information. I found the settings, and only success is listed in the "Audit account logon events". Now I see that I can change it to "failure", but then I lose the success audit. How can I add a new policy to audit both type events?

    Author Closing Comment

    I now see that both success and failure can be checked in the same policy.
    Thank you.
    LVL 19

    Expert Comment

    You're welcome, once again, I'm sorry I lost track of this question before!

    Take care,


    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now