6 Replies Latest reply on Nov 2, 2012 8:57 AM by mikesmith

    nDepth: Failed Logon

    aca5tle

      I am working on creating a custom report that looks for failed logins (that we consider more of a threat than a user fat-fingering their password), with the Status & Sub Status Codes that are now logged in Windows Vista +

       

      To do so, I need to find the right data in the nDepth. It appears that what I want isn't really stored in LEM.

       

      The Event ID 4625 gives a little bit more than what I want. If the username is correct... that is no concern for this report, but if someone keeps logging in with

      • guessed usernames
      • while accounts are disabled
      • after hours

      we have a problem.

       

      I am looking for the following failed logons:

       

      Status and Sub Status CodesDescription (not checked against "Failure Reason:")
      0xC0000064user name does not exist
      0xC0000072account is currently disabled
      0xC000006Fuser tried to logon outside his day of week or time of day restrictions
      0xC0000070workstation restriction
      0xC0000193account expiration
      0xC0000071expired password
      0xC0000133clocks between DC and other computer too far out of sync
      0xC0000224user is required to change password at next logon
      0xC0000225evidently a bug in Windows and not a risk
      0xc000015bThe user has not been granted the requested logon type (aka logon right) at this machine

       

      Is there a way to retrieve this or make sure that it is logged in LEM?

      Thank you