How to track Win2k domain account lockouts

An easy way to track bad password attempts in a Windows 2000 domain.

This tip was submitted to the SearchWin2000.com tip exchange by member Randy Brown. Let other users know how useful it is by rating it below.


We recently implemented a new domain security policy with strict password length, age and expiration requirements. In addition, we set up strict lockout requirements that would lockout domain accounts for 120 minutes after five invalid attempts. This caused several user accounts to continuously get locked out, even though the users were logging on with their correct passwords. We would reset the accounts, and then five minutes later, the accounts would be locked out again. We determined that, even though the user was typing in their passwords correctly, something else (mapped drives, services, etc.) was using an incorrect password which was locking the accounts.

An easy way to track bad password attempts in a Windows 2000 domain is to take advantage of "checked build" of Netlogon.dll on the PDC-emulator. (You should have the latest service pack installed before attempting this.) This creates a text file on the PDC-emulator that you can use to determine which clients are generating the bad password attempts.

To take advantage of this feature, you need to make the following change to your registry:

  1. Start Regedt32 and locate the following key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParametersDBFlag.

     

  2. Change the DBFlag value to 0x4 or 0x20000004. 0x4 only records logon processing. 0x20000004 records the time stamp in addition to the logon processing.

     

  3. Quit Regedt32.

     

  4. Restart the server.

In the %windir folder there should be a debug folder with a file called Netlogon.log. This file provides log events based on the client and the event. Below are some of the events that can help in troubleshooting locked out accounts:

0xC0000234 User logon with account locked
0xC000006A User logon with misspelled or bad password
0xC0000072 User logon to account disabled by administrator
0xC0000193 User logon with expired account
0xC0000070 User logon from unauthorized workstation
0xC000006F User logon outside of authorized hours
0xC0000224 User logon with "change password at next logon" flagged
0xC0000071 User logon with expired password
0xC0000064 User logon with misspelled or bad user account

Successful logons can look like any of the following:

'Entered'
'Returns 0x0'
'Returns 0'

You can use this information to determine the client computer that is trying to log on unsuccessfully to the domain. Once you have determined the client computer, you can determine what is causing the invalid logon attempts and correct it so that the domain account no longer gets locked out.

Note: This same method can be used for an NT PDC, however, you first need to obtain the "checked build" of Netlogon.dll from Microsoft Technical Support or from the Microsoft Driver Development Kit.

This was first published in January 2003

Dig deeper on Microsoft Active Directory Design and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close