not seeing invalid login attempts in event log
On my domain I have enabled Logon Event logging. I did it from ActiveDirectory > domain controller server > in admin tools > domain security policy > local policies > audit policy : audit account logon events: success > failure > Audit logon events > success, failure. But still when I go to client PC and try login in with WRONG password, I don’t find anything logged regarding this in my Event Log.
Does anyone know what could be the reason why my system is not logging the wrong Password log in Event Viewer?
For your reference this is the only messages i can see in my Event Viewer:
Quote:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 646
Date: 2/26/2009
Time: 10:58:59 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: TOTOWADC01
Description:
Computer Account Changed:
-
Target Account Name: VMVMC01$
Target Domain: xxxLARCLUB
Target Account ID: xxxRCLUB\VMVMC01$
Caller User Name: TOTOWADC01$
Caller Domain: xxxLARCLUB
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 2/26/2009 10:58:59 AM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
DNS Host Name: -
Service Principal Names: -
Re: not seeing invalid login attempts in event log
Are you sure there is no other DCs in your domain? If there are multiple DCs then the log might even go in the other DCs Event Viewer. Only the DC handling the auth requests will write into the event log. Apart from this can you tell me whether the network was up and running on the client when you tried the wrong attempt? I’m asking this because Windows XP has a "fast boot" feature where it actually shows the logon screen although the network subsystem isn't up and running.
Re: not seeing invalid login attempts in event log
Where are you checking the Event Log? I mean, if you are attempting to logon to the domain, the failure will be within the log on the dc on which you are attempting to logon to not the local machine.
