not seeing invalid login attempts in event log

In Event viewer, security I am not seeing any invalid login attempt
messages.

I think I have enabled account logon event logging. On the
ActiveDirectory, domain controller server, in admin tools, domain
security policy, local policies, audit policy : audit account logon
events: success, failure. Audit logon events - success, failure.

After making these config changes, I goto a client PC and logon with a
valid user name but incorrect password. In event viewer on the AD
server, I dont see any login failure messages.

Are my invalid logins being logged? Where do I see them?

thanks,



( The only messages I see in Event Viewer, security that log are
similar to this:

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 646
Date: 2/26/2009
Time: 10:58:59 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: TOTOWADC01
Description:
Computer Account Changed:
-
Target Account Name: VMVMC01$
Target Domain: xxxLARCLUB
Target Account ID: xxxRCLUB\VMVMC01$
Caller User Name: TOTOWADC01$
Caller Domain: xxxLARCLUB
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 2/26/2009 10:58:59 AM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
DNS Host Name: -
Service Principal Names: -

Steve,

"Steve Richter" wrote:
> After making these config changes, I goto a client PC and logon with a
> valid user name but incorrect password. In event viewer on the AD
> server, I dont see any login failure messages.

Are there multiple DCs in the domain? Have you checked all DC's event
viewer? Only the DC handling the auth requests will write into the eventlog.

Also -- when did you try the false attempts? Can you make sure the network
is up and running on the client? Windows XP has a "fast boot" feature where
it actually shows the logon screen although the network subsystem isn't up
and running. Could be that you're attempting a "local" logon using cached
credentials.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

If you are attempting to logon to the domain, the failure will be within the
log on the dc on which you are attempting to logon to not the local machine.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"Steve Richter" <StephenRichter@gmail.com> wrote in message
news:33d8ba72-807f-4ce6-a92e-5baadd28624b@j35g2000yqh.googlegroups.com...
> In Event viewer, security I am not seeing any invalid login attempt
> messages.
>
> I think I have enabled account logon event logging. On the
> ActiveDirectory, domain controller server, in admin tools, domain
> security policy, local policies, audit policy : audit account logon
> events: success, failure. Audit logon events - success, failure.
>
> After making these config changes, I goto a client PC and logon with a
> valid user name but incorrect password. In event viewer on the AD
> server, I dont see any login failure messages.
>
> Are my invalid logins being logged? Where do I see them?
>
> thanks,
>
>
>
> ( The only messages I see in Event Viewer, security that log are
> similar to this:
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Account Management
> Event ID: 646
> Date: 2/26/2009
> Time: 10:58:59 AM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: TOTOWADC01
> Description:
> Computer Account Changed:
> -
> Target Account Name: VMVMC01$
> Target Domain: xxxLARCLUB
> Target Account ID: xxxRCLUB\VMVMC01$
> Caller User Name: TOTOWADC01$
> Caller Domain: xxxLARCLUB
> Caller Logon ID: (0x0,0x3E7)
> Privileges: -
> Changed Attributes:
> Sam Account Name: -
> Display Name: -
> User Principal Name: -
> Home Directory: -
> Home Drive: -
> Script Path: -
> Profile Path: -
> User Workstations: -
> Password Last Set: 2/26/2009 10:58:59 AM
> Account Expires: -
> Primary Group ID: -
> AllowedToDelegateTo: -
> Old UAC Value: -
> New UAC Value: -
> User Account Control: -
> User Parameters: -
> Sid History: -
> Logon Hours: -
> DNS Host Name: -
> Service Principal Names: -
>
>
>
>
>

Hello Steve,

You have to check all DC's in the domain. The client pc will not log this.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> In Event viewer, security I am not seeing any invalid login attempt
> messages.
>
> I think I have enabled account logon event logging. On the
> ActiveDirectory, domain controller server, in admin tools, domain
> security policy, local policies, audit policy : audit account logon
> events: success, failure. Audit logon events - success, failure.
>
> After making these config changes, I goto a client PC and logon with a
> valid user name but incorrect password. In event viewer on the AD
> server, I dont see any login failure messages.
>
> Are my invalid logins being logged? Where do I see them?
>
> thanks,
>
> ( The only messages I see in Event Viewer, security that log are
> similar to this:
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Account Management
> Event ID: 646
> Date: 2/26/2009
> Time: 10:58:59 AM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: TOTOWADC01
> Description:
> Computer Account Changed:
> -
> Target Account Name: VMVMC01$
> Target Domain: xxxLARCLUB
> Target Account ID: xxxRCLUB\VMVMC01$
> Caller User Name: TOTOWADC01$
> Caller Domain: xxxLARCLUB
> Caller Logon ID: (0x0,0x3E7)
> Privileges: -
> Changed Attributes:
> Sam Account Name: -
> Display Name: -
> User Principal Name: -
> Home Directory: -
> Home Drive: -
> Script Path: -
> Profile Path: -
> User Workstations: -
> Password Last Set: 2/26/2009 10:58:59 AM
> Account Expires: -
> Primary Group ID: -
> AllowedToDelegateTo: -
> Old UAC Value: -
> New UAC Value: -
> User Account Control: -
> User Parameters: -
> Sid History: -
> Logon Hours: -
> DNS Host Name: -
> Service Principal Names: -