Event Log on Domain Controller-- How to identify successful and failed user logins on domain pcs

Posted on 2014-08-21
Last Modified: 2014-08-26
We have a Windows domain with two domain controllers (server 2008 R2).  I'd like to search the event log of the DCs for failed user logins (bad password or bad user name, for example)

I thought that event 4625 would be the correct event number.  The Audit logon events policy is set to failure for the domain controllers.

I just attempted a logon to a member PC using a bad password-- nothing showed up in either domain controller event list.

I also attempted to remote desktop to the domain controller itself with a bad password.  Again, I can't find the error in the security log.

Where would these failed attempts appear in the event list of the domain controller?

Thanks in advance.
Question by:dakota5
    LVL 3

    Expert Comment

    by:Liam Somerville
    You're auditing in the wrong place!

    Audit ACCOUNT logon Events:

    Author Comment

    According to that link, the events will post in the domain controller's security log.  That's where I'm looking.
    What is the correct location?

    Accepted Solution

    Apparently the Audit Failure (keyword) Event ID=4776 appears on only ONE domain controller, the one that processed the authentication.  This is generally the domain controller with the FSMO PDC Emulator Role.
    LVL 3

    Expert Comment

    by:Liam Somerville
    You are correct; it would only appear on the DC that authenticated it. Sorry for the late response - I just saw your replies.

    Author Closing Comment

    This is the answer.  I discovered this through trial and error, then confirmed with information on the internet.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now