Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1160
  • Last Modified:

Event Log on Domain Controller-- How to identify successful and failed user logins on domain pcs

We have a Windows domain with two domain controllers (server 2008 R2).  I'd like to search the event log of the DCs for failed user logins (bad password or bad user name, for example)

I thought that event 4625 would be the correct event number.  The Audit logon events policy is set to failure for the domain controllers.

I just attempted a logon to a member PC using a bad password-- nothing showed up in either domain controller event list.

I also attempted to remote desktop to the domain controller itself with a bad password.  Again, I can't find the error in the security log.

Where would these failed attempts appear in the event list of the domain controller?

Thanks in advance.
0
dakota5
Asked:
dakota5
  • 3
  • 2
1 Solution
 
Liam SomervilleSenior Security ConsultantCommented:
You're auditing in the wrong place!

Audit ACCOUNT logon Events: http://technet.microsoft.com/en-us/library/cc787176(v=ws.10).aspx
0
 
dakota5Author Commented:
According to that link, the events will post in the domain controller's security log.  That's where I'm looking.
What is the correct location?
0
 
dakota5Author Commented:
Apparently the Audit Failure (keyword) Event ID=4776 appears on only ONE domain controller, the one that processed the authentication.  This is generally the domain controller with the FSMO PDC Emulator Role.
0
 
Liam SomervilleSenior Security ConsultantCommented:
You are correct; it would only appear on the DC that authenticated it. Sorry for the late response - I just saw your replies.
0
 
dakota5Author Commented:
This is the answer.  I discovered this through trial and error, then confirmed with information on the internet.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now