Knock Knock … Who’s There ?

or tracking bad logins attempts on Windows Server

So we had a user constantly getting locked out of their account. I could re-enable them, but within ten seconds they would locked out again. The speed of this put a machine as the prime suspect, since its doubtful a user would rack up enough fails so quickly, but how to find the culprit.

On the server, you’ll want to enable debugging of logins. At the command line (start -> run – > cmd, but if I have to say that you shouldn’t be doing this) type

nltest /dbflag:2080ffff

You’ll need to restart the Netlogin service so

Net Stop Netlogon
Net Start Netlogon

This will begin to populate %Windir%\debug\netlogon.log, but we’re going to need to make some sense of it. This is where the debug tools come in. You’re going to want to install Windows “Account Lockout and Management Tools”
http://www.microsoft.com/en-us/download/details.aspx?id=18465

Wherever you install this to you can then run Nlparse (*) and “Open” netlogon.log. You can filter based on a whole bunch of options, but you’re probably mostly wanting “0xC000006A The value provided as the current password is not correct“. Hit “Extract” and alongside netlogon.log you’ll now find netlogon.log-out.csv (& netlogon.log-summaryout.txt be we don’t need that). This CSV file will list all the entries of bad password, showing the user attempted and the device used.

11/05 ,21:19:05,SamLogon: Network logon,(null)\dsmith,Retina-MacBook-Pro.local,0xC000006A

Once we know the culprit, you’ll need to fix that there (or block it from the network somehow).

Now that or work is done don’t forget to disable logging, otherwise this will eat disk space fast !

nltest /dbflag:0
Net Stop Netlogon
Net Start Netlogon

And that’s a good job done 🙂

(*) I did find that Nlparse wouldn’t run without downloading and dropping a copy of Comdlg32.ocx into the directory
http://windowsxp.mvps.org/comdlg32.htm