So this should be pretty straightforward, but it turns out that it isn't. I looked up the event code for failed logon attempts: 529. OK, so now I just search for all the 529 events in the log files. Wow, there are a lot. But since I like to test things out a bit before I get too far into a project, I ran over to a workstation and tried to log in with a fake user account. That should generate a 529 error, right?
server.domain.com MSWinEventLog 0 Security 40398013 Mon Mar 15 13:19:27 2010 672 Security SYSTEM User Failure Audit SERVER Account Logon Authentication Ticket Request: User Name: Bigpooper Supplied Realm Name: DOMAIN User ID: - Service Name: krbtgt/DOMAIN Service ID: - Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: - Pre-Authentication Type: - Client Address: workstation_ip Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: 40383305
Weird. I'm getting a 672 error instead of a 529. According to this document If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 672. So the code 672 indicates that Bigpooper logged on successfully, but the message in the event log indicates that he did not. And error 529 is nowhere to be found. Which begs the question, what do all the 529 errors in my log files really mean then? I did some reading and saw that 529 errors might mean that someone tried to log into the local workstation improperly. Still despite my best efforts, I have not been able to force a 529 error.
Obviously I need to keep track of both of these error codes. The thing that is irritating me is that it seems like there are dozens of different codes for failed logon attempts. Sometimes a single event will result in multiple entries with different codes. Other times an event is pretty straightforward.
Anyway, there is a lot of guidance out there on how to audit failed logon events out there on the Internet. It pays to take a moment to test out the information that you're given before you write scripts that report incorrect or incomplete information to you. After all, the only thing worse that no information is incorrect information.