Security Log failure events.

[Sean]

Hello, I am working on a small script that tracks failed account logon
attempts. Unfortunatly I am noticing that there are several different event
log ID's that are reported depending upon how a user account is
authenticated(i.e. Kerberos, NTLM etc..) I have not found any specific
information on the KB about what events different clients will generate when
an account logon attempt fails. Any help woul be greatly appreciated.

Sean

 

[Tim Springston \(MSFT\)]

Hi Sean-

Are you tracking this on workstations, or at your domain controller(s)?

 

[Sean]

I am currently working on this with DC's. I am planning on implementing
this check on local workstations at some point to see if someone is password
guessing against a local machine account on a workstation or member server.
The overall goal is to have a script run several times per day looking for
unusual numbers of failed logon attempts on computers. I have already found
KB articles 299475, and 174073 but I want to make sure that I cover all of
the logon methods that Windows 2000 or 2003 can support in case a machine is
improperly configured and accepting older logon methodoligies.

Sean