Re: Security Event log

From: Darren Hook [MSFT] (dhook_at_online.microsoft.com)
Date: 03/25/04 

Date: Thu, 25 Mar 2004 13:26:02 -0600

Hi Nancy -

Here is more information on the event that may help;

Logon Type: 3 = Network Logon
Error Code: 3221225572 = User logon with misspelled or bad user account

The will be very difficult to track for several reasons. One reason is that
the bad password attempts are only recorded on the domain controller that
processed the logon attempt (this is for Microsoft Windows 95-based and
Microsoft Windows 98-based clients). Another problem is that, because
Microsoft Windows NT-based clients are capable of recording the information
locally, a log entry is not recorded on any domain controller.

A relatively easy way to track bad password attempts in a domain is to
install the checked build of Netlogon.dll. This creates a text file on the
Server that can be examined to determine which clients are generating the
bad password attempts.

The version of Netlogon.dll that has tracing included is installed by
default in Windows 2000. To enable debug logging;

Enabling Debug Logging for the Net Logon Service
http://support.microsoft.com/default.aspx?scid=kb;en-us;109626

Setting DBFlag per the above article to 0x4 only records logon processing.
Setting it to 0x20000004 records the time stamp in addition to the logon
event. This may help you in narrowing the problem further by letting you
know what machine the logon is generated from. Once you know the machine
causing the event, then check that machine for any services are scheduled
tasks that might be causing the problem.

The below article gives examples of the output and what to review;
Using the Checked Netlogon.dll to Track Account Lockouts
http://support.microsoft.com/default.aspx?scid=kb;EN-US;189541

Hope this helps.

Darren Hook
dhook@online.microsoft.com
Microsoft PSS

Please do not send email directly to this alias. This alias is for
newsgroup purposes only.

This posting is provided "AS IS" with no warranties, and confers no rights.

Relevant Pages

  • Logon failure "target account name incorrect"
    ... since some days we are experiencing that user logon (w2k ... sp4 clients only) to the domain is ... The logon from these clients does work when logging on as ...
    (microsoft.public.win2000.security)
  • W2k - W2k3 Domain upgrade.
    ... An application has replaced the Microsoft Windows logon software on your ... After you upgrade, even if the program ... Do we need to worry about this warning? ...
    (microsoft.public.win2000.setup_upgrade)
  • RE: slow login after installing client service for netware
    ... It sound like the provider order is not setup to logon to a 'Microsoft Windows Network' ... slow login after installing client service for netware ...
    (microsoft.public.win2000.networking)
  • RE: XP Home - specified domain does not exist
    ... In another post with a similer problem, on suggestion is: ... When you are at the logon box, there should be a dropdown box listing ... However, there is no dropdown box, or button that says Options. ... > Microsoft Windows 2000-based client to a Microsoft Windows NT 4.0-based or ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Auditing User Accounts on Windows XP Professional
    ... Restrict a User's Logon Hours: ... Microsoft Windows XP - Network security: ... I'm running Windows XP Pro with four user accounts (one for each member of ... Is there any way to track the time a particular user logs on ...
    (microsoft.public.windowsxp.basics)