question

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 asked FanFan-MSFT commented

EventViewer missing logs about Login Failed

Hi all,
user complain that a day ago, he turned on his computer (this computer is member of a company Active Directory domain),
he typed his user password and the account was locked.
In Domain Controller EventViewer there were not Login Failed, but only Locked Out event.

Is it normal?

Thanks

windows-server-2016windows-server-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
If there are any updates, welcome to share here!
Best Regards,

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
Yes, it is the expected behavior.
Lockout event will be logged on the Domain Controller.
Login failed event will logged on the workstation where the user logon to if the Audit Logon Events – Failure was enabled on the clients.

113928-71134.jpg
Then we can audit Process Tracking for this client, then analyze the event log to find out which process or apps send the BAD password.

Best Regards,



71134.jpg (74.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 answered FanFan-MSFT commented

Dear @FanFan-MSFT
Thanks for your suggestion.
I will verify it!

I think that I can configure a domain GPO that set Domain Controller to log Failed Login.

Best regards

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

let's make sure which events do you want to be logged:
Logon events, such as:
114773-image.png

This policy is set on the workstations which the user logon to.

Account logon events, such as:
114766-image.png

This policy is set on DCs,
For more details, you can refer to:
Audit logon events
Audit account logon events

If you have any questions about the information, feel free to let me know.

0 Votes 0 ·
image.png (22.5 KiB)
image.png (54.5 KiB)
FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 answered FanFan-MSFT commented

Dear @FanFan-MSFT
Thanks!

I will follow your suggestion
I will keep you updated

Regards

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You are welcome.
Waiting for your good news!
Best Regards,

0 Votes 0 ·