Account lockout messages not in domain controller event logs


Prior to NT 4 SP4 message about the user account being locked out were only
written to the security log of the workstations or servers where the events
occurred and were not written into the security log of the domain controller
where the error occurred. At that, the error message was only written if the
audit policies were enable on the workstation. SP4 does what one would expect
and writes these messages on the domain controller where the bad password limit
was reached but ONLY if the audit policy for the domain enables Success
for the User and Group Management
audit category.


Event Log Tips:

Archiving Event Logs
Event Log explained
How to Delete
Corrupt Event Viewer Log Files

Forensics:
CrashOnAuditFail

Restrict access to Application
and System event logs

Security Event
Descriptions

Security Events Logon Type
Definitions

Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List

Frank Heyne has made
available a Windows NT Eventlog FAQ .

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top