How do you check login attempts/bad password windows 2003 domain user?

Is there any easy way to check user login times, bad password attempts for a normal user on a windows 2003 domain?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


In the event viewer of the DC's all logon attampts to the domains are logged.. If you have a large amount of users it will be huge though.
bertiebigbAuthor Commented:
Thanks. Any easier way though? Got lots of DCs.
Without extra software or money? Not really. You can use "forwarded events" to get them all to one place but without extra software i don't think you can.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Radhakrishnan RSenior Technical LeadCommented:

You can configure this security setting by opening the appropriate policy (default domain policy) and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\

Once you enabled the policies, you can go to Event Viewer and check the Security logs for the following events;
Event ID 24
A user account was created.
A user password was changed.
A user password was set.
A user account was deleted.
A global group was created.
A member was added to a global group.
A member was removed from a global group.
A global group was deleted.
A new local group was created.
A member was added to a local group.
A local security group with security disabled was changed.
A member was added to a security-disabled local security group.
A member was removed from a security-disabled local security group.
A security-disabled local group was deleted.

There are lot more apart from this. This is how companies perform audit. I would suggest to go for this instead of purchasing 3rd party tools.

Good luck
Pramod UbheCommented:
try this one -

check for latest bad password time and the dc where it is recorded; on that dc check for audit failure logs in security event logs for the exact time mentioned in this tool which will give you source/client IP address.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bertiebigbAuthor Commented:
Excellent. Just the job.
bertiebigbAuthor Commented:
Yes got that but it just gives times for user per DC.
Pramod UbheCommented:
Yeah, once you get the dc name and time stamp, check audit failure logs in security event logs of that dc for the exact time given in that tool. Once you find that event, it will show you client ip which is the source of bad password. If you need to analyze further, check event logs of client ip for the exact same time where you will get pid of bad pass generating process which in turn can be identified through task manager.
This is complicated but it depends on you how far you want to dig just the source ip or exact root cause.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.