| KB ID: | 10004 |
| Last Revision: | November 26, 2006 |
| Version: | 1.0 |
Search: Find all computers that a specific user failed to log onto.
The primary logon failures to a computer are logged as:
- Logon Failure (ID: 529)
- Pre-authentication Failed (ID: 675)
On top of Logon Failures (ID: 529), failed logons to remote machines might be logged as a Pre-authentication Failed (ID: 675). The difference between Logon Failures and Pre-authentication Failures is that the IP logged by a Logon Failures sometimes contains the IP address of the remote computer if the user is logging in remotely via Terminal Service (aka Remote Desktop) whereas the IP logged in the Pre-authentication Failures is always the IP Address of the computer being logged onto. The name of the computer being logged onto isn't logged, but should be easily attainable with the IP Address in the log.
PREREQUISITES
The name (aka sAMAccountName) of the user.
ESTIMATED QUERY TIME
< 1 second.
METHOD 1 (Quick Search)
1. Enter in the username in
the Quick Search field and click Go.
2. (If needed) Turn off "Activity logs BY object" and "Activity logs TO
object".
3. Sort by S/F (Success/Failure) and sort by logs with the type of
"F".
4. (If needed) Turn on Smart Filter and disable any events that contain
information that does not contain logs you are not looking for.
Note: A Service Ticket Request is also logged when the user authenticates via Kerberos (for example Outlook uses Kerberos to authenticate to a Microsoft Exchange Server.) In this scenario, you can use the Smart Filter to filter out Kerberos authentications that are not logons.
METHOD 2 (Advanced Search)
1. Enter the username in
the Client Name field.
2. Select Logon Events only.
3. Select the Type as "Failure".
3. Click Submit.
LIKELY SCENARIOS IT APPLIES TO
- You want to know what computers a particular user has been failing to log onto.
- You want the usage information of a user.
- You want to know if the particular user account has been the target of brute force attempts to log on.
FINE TUNE YOUR SEARCH
If you know the time scope, domain of the computers, or want to restrict your searches to users in a specific domain you can fine tune your search.