Using the checked Netlogon.dll to track account lockouts (189541)


The information in this article applies to:

  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server, Enterprise Edition 4.0
  • Microsoft Windows 98
  • Microsoft Windows 95
This article was previously published under Q189541
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SUMMARY

Account lockouts can be very difficult to track for several reasons. One reason is that the bad password attempts are only recorded on the domain controller that processed the logon attempt (this is for Microsoft Windows 95-based and Microsoft Windows 98-based clients). Another problem is that, because Microsoft Windows NT-based clients are capable of recording the information locally, a log entry is not recorded on any domain controller.

MORE INFORMATION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

A relatively easy way to track bad password attempts in a domain is to install the checked build of Netlogon.dll on the primary domain controller (PDC). This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts, for both Windows NT-based and Windows 95-based clients.

The checked build of Netlogon.dll can be obtained from Microsoft Technical Support and also in the Microsoft Driver Development Kit (DDK). To install the checked build of Netlogon.dll on Windows NT 4.0:
  1. Go to the Windir\System32 folder.
  2. Rename Netlogon.dll to Netlogon.fre.
  3. Copy the checked version of Netlogon.dll to the System32 folder.
  4. Start Regedt32, and then locate the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon \Parameters\DBFlag

  5. Change the DBFlag value to 0x4.

    NOTE: Setting DBFlag to 0x4 only records logon processing. Setting it to 0x20000004 records the time stamp in addition to the logon event.
  6. Quit Regedt32.
  7. Restart the server.
  8. Confirm that the debug directory was created under the Windir folder and contains a Netlogon.log file.

Examples

In the examples below: 
PORSCHE\example = User Account
TARGA =           BDC
928S4 =           Windows NT Workstation
928WIN95 =        Windows 95
911Turbo =        PDC
Different clients log different messages.

Windows NT Workstation: 
[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Entered

[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Returns 0xC000006A

[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Entered

[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Returns 0xC0000234
In the above example, you can see where you try to log on, are unsuccessful with a bad password, try to log on again, and then are unsuccessful with a locked out account.

The only difference with Windows 95 and Windows 98 is the omission of the domain name: 
[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Entered

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Returns 0xC000006A

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Entered

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Returns 0xC0000234
A successful account logon can resemble: 
[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 Entered

[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 Returns
   0x0

[LOGON] NetrLogonUasLogon of EXAMPLE from 928WIN95 returns 0
The errors you most likely receive are:
0xC0000234 User logon with Account Locked
0xC000006A User logon with Misspelled or bad Password
0xC0000072 User logon to account disabled by Administrator
0xC0000193 User logon with Expired Account
0xC0000070 User logon from unauthorized workstation
0xC000006F User logon Outside authorized hours
0xC0000224 User logon with "Change Password at Next Logon" flagged
0xC0000071 User logon with Expired Password
0xC0000064 User logon with Misspelled or Bad User Account
To track user account lockouts, only the 234 and 6A errors are important to us.

NOTE: These errors are only a partial listing. Ntstatus.h has all the 0xcxxxxxxx listings.

After the workstation that has been sending the bad passwords has been identified, the workstation can be configured correctly or the user can be informed of the correct password.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

109626 Enabling debug logging for the Netlogon service

Modification Type:MinorLast Reviewed:7/6/2006
Keywords:kbhowto KB189541
©2004 Microsoft Corporation. All rights reserved.