Using the checked Netlogon.dll to track account lockouts

Article translations Article translations
Article ID: 189541 - View products that this article applies to.
This article was previously published under Q189541
Expand all | Collapse all

On This Page

SUMMARY

Account lockouts can be very difficult to track for several reasons. One reason is that the bad password attempts are only recorded on the domain controller that processed the logon attempt (this is for Microsoft Windows 95-based and Microsoft Windows 98-based clients). Another problem is that, because Microsoft Windows NT-based clients are capable of recording the information locally, a log entry is not recorded on any domain controller.

MORE INFORMATION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


A relatively easy way to track bad password attempts in a domain is to install the checked build of Netlogon.dll on the primary domain controller (PDC). This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts, for both Windows NT-based and Windows 95-based clients.

The checked build of Netlogon.dll can be obtained from Microsoft Technical Support and also in the Microsoft Driver Development Kit (DDK). To install the checked build of Netlogon.dll on Windows NT 4.0:
  1. Go to the Windir\System32 folder.
  2. Rename Netlogon.dll to Netlogon.fre.
  3. Copy the checked version of Netlogon.dll to the System32 folder.
  4. Start Regedt32, and then locate the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon \Parameters\DBFlag
  5. Change the DBFlag value to 0x4.

    NOTE: Setting DBFlag to 0x4 only records logon processing. Setting it to 0x20000004 records the time stamp in addition to the logon event.
  6. Quit Regedt32.
  7. Restart the server.
  8. Confirm that the debug directory was created under the Windir folder and contains a Netlogon.log file.

Examples

In the examples below:
PORSCHE\example = User Account
TARGA =           BDC
928S4 =           Windows NT Workstation
928WIN95 =        Windows 95
911Turbo =        PDC
				
Different clients log different messages.

Windows NT Workstation:
[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Entered

[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Returns 0xC000006A

[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Entered

[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Returns 0xC0000234
				
In the above example, you can see where you try to log on, are unsuccessful with a bad password, try to log on again, and then are unsuccessful with a locked out account.

The only difference with Windows 95 and Windows 98 is the omission of the domain name:
[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Entered

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Returns 0xC000006A

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Entered

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Returns 0xC0000234
				
A successful account logon can resemble:
[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 Entered

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 Returns
   0x0

[LOGON] NetrLogonUasLogon of EXAMPLE from 928WIN95 returns 0
				
The errors you most likely receive are:
0xC0000234 User logon with Account Locked
0xC000006A User logon with Misspelled or bad Password
0xC0000072 User logon to account disabled by Administrator
0xC0000193 User logon with Expired Account
0xC0000070 User logon from unauthorized workstation
0xC000006F User logon Outside authorized hours
0xC0000224 User logon with "Change Password at Next Logon" flagged
0xC0000071 User logon with Expired Password
0xC0000064 User logon with Misspelled or Bad User Account
To track user account lockouts, only the 234 and 6A errors are important to us.

NOTE: These errors are only a partial listing. Ntstatus.h has all the 0xcxxxxxxx listings.

After the workstation that has been sending the bad passwords has been identified, the workstation can be configured correctly or the user can be informed of the correct password.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
109626 Enabling debug logging for the Netlogon service

Properties

Article ID: 189541 - Last Review: January 23, 2007 - Revision: 4.5
APPLIES TO
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Server 4.0 Enterprise Edition
  • Microsoft Windows 98 Standard Edition
  • Microsoft Windows 95
  • Microsoft Windows 98 Standard Edition
Keywords: 
kbhowto KB189541

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com