Track Account Lockouts Using the Checked Netlogon.dll

  • Section(s): Logon
  • Published on Apr 20, 2004.
  • Last Modified on Apr 20, 2004.
  • Last Modified by Wayne Maples.
  • Rated 4.7 out of 5 based on 3 votes.
Large numbers of failed logins due to bad passwords is a red flag for intrustion detection. If you need to generate more detailed data to track bad password attempts to Windows NT domains, install the checked build of Netlogon.dll on the PDC. This will create %systemroot%\debug\Netlogon.log which will capture more information on the bad password attempts. You will need to obtain the checked version of Netlogon.dll from Microsoft support or its on the Microsoft DDK. To start generating the log:
  • stop netlogon service on PDC
  • rename original netlogon.dll to netlogon.dll.original
  • copy checked version of netlogon.dll to system32 directory
  • set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag to 0x20000004.
  • start netlogon service on PDC

About Wayne Maples

Share this article


Article not looking right or info is missing? Let us know so that we can fix it: .


Receive all the latest articles by email!

Receive Real-Time & Monthly WindowsNetworking.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowsNetworking.com member!

Discuss your network issues with thousands of other network administrators. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred Data Recovery solution?