Auditing Logon Failures Does Not Log Remote Failures

This article was previously published under Q172402
This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
When auditing logon and logoff failures on a Domain Controller, not all expected failure audit event messages are recorded in the Security Event Log of a domain controller.
CAUSE
This behavior may occur if a user does not log on to a member Windows NT workstation or server by using an account that has domain credentials. In this case, the local Security Log records an Event 529 (Logon Failure) event message. There is no failure audit recorded on a domain controller when the domain user's logon does not succeed. The account may be locked out if configured to do so, but no event message is recorded.
RESOLUTION
You cannot force the domain controllers to log this failure audit. However there is an event message to audit the locking of an account on a domain controller. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
182918 Account Lockout Event Also Stored in Security Event Log on Domain Controller
For additional information about how to track the failed logon attempts on each workstation and member server, click the following article number to view the article in the Microsoft Knowledge Base:
171148 Automating Detection of Logon Failures in a Windows NT Domain
STATUS
Microsoft has confirmed that this is a problem in Windows NT 3.51 and Windows NT 4.0. Microsoft is researching this problem and will post more information in this article when the information becomes available.
4.00 usrmgr audit use r account lockout
Properties

Article ID: 172402 - Last Review: 10/07/2013 05:10:01 - Revision: 5.1

  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0 Standard Edition
  • kbnosurvey kbarchive kbnetwork KB172402
Feedback