RE: help determining source of logon failure audits
- From: Jesper <Jesper@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 4 Jan 2007 19:15:00 -0800
When did you turn on account logon event logging? What you are describing
matches exactly what you would see with FUS on. These events indicate that
the SYSTEM account tried to log you on. This should only happen during FUS.
Everything here is consistent with FUS.
0xC000006A means that the password was incorrect, which is why the logon
failed.
0xC0000234 means that the account has been locked out.
Are you absolutely sure that this only started showing up in the event log a
week ago AND that you had account logon event auditing turned on before this
started happening? If so, then the only other way this could happen is if
something you are doing is causing a process running LocalSystem to log you
on with a blank password.
"josh rubin" wrote:
Jesper" wrote:.
Account logon events and Logon events generate pretty much the same
informaiton on a stand-alone. Account logon events is the act of
authenticating against an account. Logon events is logging onto the computer.
If you are domain joined, the former are logged on the DC and the latter on
the client, for domain logons.
These, however, are much simpler. You have the "Fast User Switching" screen,
correct? The one which lists all the accounts? When you click on an account
Windows needs to know whether to show you a password box or not. To determine
that it tries to log the account on with a blank password. If the account has
a password that logon fails and it shows you the password box. This will,
however, generate a logon failure audit event.
I know about this - it doesn't describe what I'm seeing.
In any case, Fast User Switching has always been on, but these events
only started appearing about a week ago.
"josh rubin" wrote:
Jesper" wrote:
What is the logon type in the event? Logon type 10 is RDP. 3 would be network
(i.e. Windows networking). Are you sure these are attempts to log on via RDP?
There is no logon type 6a. They are all numeric, and start with 2.
Your answer made me realize that I had logging enabled for
"Account Logon Events" but not "Logon Events"
Below are the events I am *now* logging, and two typical "Account Logon
Events". Let me know if I should enable more events.
--------------
Policy Security Setting
Audit object access Failure
Audit directory service access No auditing
Audit process tracking No auditing
Audit privilege use No auditing
Audit system events No auditing
Audit account logon events Success, Failure **** NEW ****
Audit account management Success, Failure
Audit policy change Success, Failure
Audit logon events Success, Failure
-------------
Here are two typical events from my log:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 1/3/2007
Time: 11:36:44 PM
User: NT AUTHORITY\SYSTEM
Computer: RAVEN
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Josh
Source Workstation: RAVEN
Error Code: 0xC000006A
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 1/3/2007
Time: 11:38:44 PM
User: NT AUTHORITY\SYSTEM
Computer: RAVEN
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Josh
Source Workstation: RAVEN
Error Code: 0xC0000234
- References:
- RE: help determining source of logon failure audits
- From: Jesper
- RE: help determining source of logon failure audits
- From: josh rubin
- RE: help determining source of logon failure audits
- Prev by Date: Re: WinXP desktop Security via policies
- Next by Date: Re: WinXP desktop Security via policies
- Previous by thread: RE: help determining source of logon failure audits
- Index(es):
Relevant Pages
|
