Logging all authentication attempts

  • Thread starter Thread starter A.J. Fried
  • Start date Start date
A

A.J. Fried

Does anyone know if there's a way to centrally log all domain
authentication attempts? Specifically, this would include users logging in
as well as unlocking their machine after a locking it (or if a screen saver
locks it).

I've looked at netlogon logging, but this doesn't seem to be quite what I'm
looking for. Kerberos loggin seems to be client based, so I would have to
scan every machines event log.

I'm looking for something that would be on the domain controllers (win2k
domain), like the netlogon.log but more manageable.

Any thoughts?

Thanks.
 
A.J. Fried said:
Does anyone know if there's a way to centrally log all domain
authentication attempts? Specifically, this would include users logging in
as well as unlocking their machine after a locking it (or if a screen saver
locks it).
Click to expand...

No to the screen saver as that is NOT a login. Central logging is
accomplished
by logging "Account Logon" (rather than just Logon).
I've looked at netlogon logging, but this doesn't seem to be quite what I'm
looking for. Kerberos loggin seems to be client based, so I would have to
scan every machines event log.
Click to expand...

Not with Account Logon logging.
I'm looking for something that would be on the domain controllers (win2k
domain), like the netlogon.log but more manageable.
Click to expand...

Account Logon with Win2000+ domains.
 
Don't mind if I butt in, but how do you get the
netlogon.log to work. Mine is 0 bytes(empty). Thanks
 
Herb Martin said:
No to the screen saver as that is NOT a login. Central logging is
accomplished
by logging "Account Logon" (rather than just Logon).
Click to expand...

I know that unlocking from a locked screen saver isn't a logon per se,
but it is an autentication attempt against the domain, right? I mean,
if you give it the wrong pw enough times, you will lock the domain
acct, so it must be an authentication attempt.

Can you give me any more dets on the "account logon" logging? It's
not ringing a bell. It may not matter much though because unless I
can log a locked computer unlock, my purpose will be defeated. I want
to track people's whereabouts ... sort of an attendance / locator
system. People don't necessarily log off every day, (so they don't
necessarily log in every day) but we have a GPO that kicks in the
screen saver after 15 minutes. If I could log the authentication
needed to unlock the machine after the screen saver kicks in, I'm set.

Any thoughts?

Thanks
 
A.J. Fried said:
I know that unlocking from a locked screen saver isn't a logon per se,
but it is an autentication attempt against the domain, right? I mean,
if you give it the wrong pw enough times, you will lock the domain
acct, so it must be an authentication attempt.
Click to expand...

If that is the case (quite possible) then I was wrong and it is A LOGON.

In that case the Account Logon setting will work to record these. Try it
and let me know (I was under the impression it was using cached
credentials.)
 
In
Herb Martin said:
If that is the case (quite possible) then I was wrong and it is A
LOGON.

In that case the Account Logon setting will work to record these.
Try it and let me know (I was under the impression it was using cached
credentials.)
Click to expand...

Not sure Herb, but I'm tending to believe it's cached credentials as well.
One good indication is the speed of unlocking it once you enter your
credentials. Test it by unplugging the NIC and I'm sure it's just as fast.
If this is the case, I don't believe Account Logging Auditing will pick this
up.

Maybe a script on each machine that reports back to a central location with
Auditing on the local machine?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Ace Fekay said:
In

Not sure Herb, but I'm tending to believe it's cached credentials as well.
One good indication is the speed of unlocking it once you enter your
credentials. Test it by unplugging the NIC and I'm sure it's just as fast.
If this is the case, I don't believe Account Logging Auditing will pick this
up.
Click to expand...

I think you're right about cached credentials. I did an experiment...
I changed my password on a (the) domain controller. Then I locked my
machine and UNlocked it wit the OLD password. Clearly, cached
credentials.

Looks like I'll have to go with some sort of local log harvest to make
this work.

Thanks for the input.

--> A.J. Fried
 
In
A.J. Fried said:
"Ace Fekay [MVP]"


I think you're right about cached credentials. I did an experiment...
I changed my password on a (the) domain controller. Then I locked my
machine and UNlocked it wit the OLD password. Clearly, cached
credentials.

Looks like I'll have to go with some sort of local log harvest to make
this work.

Thanks for the input.

--> A.J. Fried
Click to expand...


No problem...

Here's a nice site besides www.technet.com's Script Center to look for
scripts that may help you do this:
http://cwashington.netreach.net

Good luck.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Not sure Herb, but I'm tending to believe it's cached credentials as well.
One good indication is the speed of unlocking it once you enter your
credentials. Test it by unplugging the NIC and I'm sure it's just as fast.
Click to expand...

That won't prove it either -- except by your noted implication from the
speed.

Cached credentials are known to work (the purpose) whenever the actual
connection is down. Since a machine tries to keep a secure channel to the
DC,
it likely doesn't have to wait for a "new" connection to fail.
If this is the case, I don't believe Account Logging Auditing will pick this
up.
Click to expand...

True (not matter how we determine it.)
Maybe a script on each machine that reports back to a central location with
Auditing on the local machine?
Click to expand...

I doubted that this counts as a logon, but am awaiting someone who will go
check.
(Should take about 5 minutes.)
 
If it doesn't count as a "logon" then I doubt that it is going to log it
even
locally.

Logon is collected locally.
Account Logon is collected at the DCs.
 
In
Herb Martin said:
That won't prove it either -- except by your noted implication from
the speed.

Cached credentials are known to work (the purpose) whenever the actual
connection is down. Since a machine tries to keep a secure channel
to the DC,
it likely doesn't have to wait for a "new" connection to fail.


True (not matter how we determine it.)


I doubted that this counts as a logon, but am awaiting someone who
will go check.
(Should take about 5 minutes.)
Click to expand...

Ok, I'm curious as well. Local Auditing for logon info, and yes, I
understand it's not the same as Account Logon at the domain level.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top