Auditing User Authentication
Article ID: 174073 - View products that this article applies to.
This article was previously published under Q174073
This article contains tips for interpreting security auditing events that are related to user authentication.
These events will all appear in the Security event log and will be logged with a source of Security.
For more information about security events, click the following article number to view the article in the Microsoft Knowledge Base:
EventID Description ------- ----------- 514 An authentication package has been loaded by the LSA 515 A trusted logon process has registered with the LSA 518 A notification package has been loaded by the Security Account Manager 528 Successful Logon 529 Logon Failure: Unknown user name or bad password 530 Logon Failure: Account logon time restriction violation 531 Logon Failure: Account currently disabled 532 Logon Failure: The specified user account has expired 533 Logon Failure: User not allowed to logon at this computer 534 Logon Failure: The user has not been granted the requested logon type at this machine 535 Logon Failure: The specified account's password has expired 536 Logon Failure: The NetLogon component is not active 537 Logon Failure: An unexpected error occurred during logon 538 User Logoff 539 Logon Failure: Account locked out 644 User Account Locked Out
(http://support.microsoft.com/kb/174074/ )Security event descriptions
Security identifiers (SIDs)Some security events report SIDs instead of user names. In this case, it is often difficult to determine which user account is being referred to in the event.
It is possible to build a list of mappings of user names to SIDs by performing the following steps:
Logon type"Logon Type" will be one of the following:
2 Interactive 3 Network 4 Batch 5 Service 6 Proxy 7 Unlock Workstation (0 & 1 are invalid)
Logon Process"Logon Process" will be one of the following:
"msv1_0" or "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0": msv1_0.dll, the default authentication package "KSecDD": ksecdd.sys, the security device driver "User32" or "WinLogon\MSGina": winlogon.exe & msgina.dll, the authentication user interface "SCMgr": The Service Control Manager "LAN Manager Workstation Service" "advapi" API call to LogonUser "MS.RADIU": The RADIUS authentication package; a part of the Microsoft Internet Authentication Services (IAS).
User rightsFor more information about auditing user right changes, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/163905/ )Auditing user right assignment changes
Supplemental informationFor more information about user authentication, click the following article number to view the article in the Microsoft Knowledge Base:
102716For more information about authentication on networks, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/102716/ )NTLM user authentication in Windows
(http://support.microsoft.com/kb/122422/ )Example of remote logon with Windows NT Server
Article ID: 174073 - Last Review: February 23, 2007 - Revision: 4.3