Auditing (logging) unsuccessful user password attempts on windows domain (server 2008)

Here is what I would like to do...

I would like any unsuccessful password attempts logged on my domain servers event viewer. So... for example... if someone was trying to guess a users domain logon password from a terminal, server or from webmail, those unsuccessful attempts would be listed in the event viewer.

Here is what my network looks like

Windows 2008 R2 servers, 2 domain controllers, windows 7 PC's.

Here is what I have configured so far...

I have configured an "account lockout" group policy under the domain policy to lock users out after 3 attempts (for 10 minutes). I have configured auditing in the "default domain controller policy" under the domain controller organisational unit. I have configured the following policy settings... (the default domain controller policy has link enabled DISABLED and enforce DISABLED, although from what I have read this isn't impacting the outcomes)

Policy Setting
Audit account logon events                            Failure
Audit directory service access                        No auditing
Audit logon events                                           Failure
Audit policy change                                         No auditing
Audit privilege use                                           No auditing
Audit process tracking                                    No auditing
Audit system events                                        No auditing

I believe this should achieve my goal from what I have read.

The results

So far... if an account is locked out (3 incorrect attempts), IT DOES appear in the domain controllers event viewer. But when I attempt to guess a users password from a terminal, the failure IS NOT logged in the event viewer, only the account lockout after 3 attempts! But when I try to guess a users password from the server... that failure IS logged in the event viewer.

Please help

Can anyone shed light on this? what am i doing wrong?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zac HarrisSystems Administrator Commented:
Each computer logs its own event viewer entries. The only way to make them appear on a different PC is to change the location the log is saved to. You will need to attach the log into the eventviewer on the server to view them.

You could connect to another PC from event viewer and view those logs however.

Here are those steps:

To connect to another computer in Event Viewer

    Open Event Viewer.

    In the console tree, right click Event Viewer (Local), and then click Connect to another computer

    Click Another computer, type the name of the computer, and then click OK. You can also find another computer on the network by clicking Browse.

Here are the steps to change the location the logs are saved to:

To modify the location of the Event Viewer log files:

    Click Start, click Run, type regedt32, and then click OK.
    On the Windows menu, click HKEY_LOCAL_ MACHINE on Local Machine.
        For the System log:
            Click the System\CurrentControlSet\Services\EventLog\System folder, and then double-click the FILE value.
            Type the new drive and path in the String box, include the file name \SysEvent.Evt, and then click OK. The default path is %SystemRoot%\System32\Config\SysEvent.Evt
        For the Application log:
            Click the System\CurrentControlSet\Services\EventLog\Application folder, and then double-click the FILE value.
            Type the new drive and path in the String box, include the file name \AppEvent.Evt, and then click OK. The default path is %SystemRoot%\System32\Config\AppEvent.Evt
        For the Security log:
            Click the System\CurrentControlSet\Services\EventLog\Security folder, and then double-click the FILE value.
            Type the new drive and path in the String box, include the file name \SecEvent.Evt, and then click OK. The default path is %SystemRoot%\System32\Config\SecEvent.Evt
    Quit Registry Editor, and then restart the computer.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sfabsAuthor Commented:
Hi Zac, Thank you for your reply.

I was hoping this wasn't the case, it makes it extremely difficult/ almost impossible to identify password attempt failures. I would have thought that as the username and password is checked with the domain controller that you could log failures on the domain controller.

Luckily if someone guesses via webmail those logs are captured in the mail server event log so it is easy to see.

Zac, would it be feasible to have ALL the desktop event logs redirect to a single log on a network share that I could browse, or is that not possible or just a bad idea?
Zac HarrisSystems Administrator Commented:
I would consider that a bad idea. It will generate massive log files. I will check and see if it's something that can be done just in case you still want to do it. However, I wouldn't recommend it.
sfabsAuthor Commented:
accurate and detailed explanantion
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.