Tracing Users and Account Logon – Eventi ed errori monitoring

Logon and logoff information is found in the Event IDs 528 and 540 for a successful logon and event ID 538 for a logoff, there are more event’s where this information can be seen but these will give you a general idea where the accounts log on and off. If you are troubleshooting why an account is failing or for example who or what is locking out that user that call’s in every day to have his account unlocked you may want to look at the following Events.
Logon Types in Event ID’s 528, 540 and 538:

Logon Type 2 – Interactive
This type indicates that the user was either logged on either physical or via some sort of KVM (iLo for HP Blades for example) solution.

Logon Type 3 – Network
Typically indicated that the user was logged in via a SMB connection (File Share, Printers), IIS Windows Integrated or Kerberos authentication also logged the logontype as type 3.

Logon Type 4 – Batch
This indicates that the account was logged in from a scheduled job. Also happens when using at.exe to run a job immediately.

Logon Type 5 – Service
This indicates the account that logged in is configured in a Service.

Logon Type 7 – Unlock
When a user unlocks the system after the desktop was locked type 7 is logged in the eventlog.

Logon Type 8 – NetworkCleartext
Typicaly seen when using basic authentication in IIS, unless encryption is being ofered at a lower level (SSL for example) this would be very bad.

Logon Type 9 – NewCredentials
This indicates that a user used the runas /netonly to authenticate to a remote source on the network.

Logon Type 10 – RemoteInteractive
This indicates that the user logged in interactively via RDP (Terminal Server, Citrix Desktop). Users and Administrators logging in via the RDP protocol will

show up as type 10 in the event viewer.

Logon Type 11 – CachedInteractive
This is usualy seen on laptops where an user logges in on a notebook that is not connected to the network, Windows caches the cridentials if the user was previously logged on successfully on the network and this enabeles people to still be able to use their notebooks when not directly connected to the network. This may also indicate a problem in the LAN/WAN connections if this is logged frequently within desktops in the domain.

The indicator that a logon attempt was made when the account was logged off is the registration of Event ID 539. This event will not give a reason why the account was locked, it serves solely as an indicator to the fact that it is locked. Event ID’s 675 and 681 give a lot of information on what went wrong with the logon process. The following list shows the failiure codes in binary and hex and their descriptions for Event ID 675:

1 0×1 Client’s entry in database has expired
2 0×2 Server’s entry in database has expired
3 0×3 Requested protocol version # not supported
4 0×4 Client’s key encrypted in old master key
5 0×5 Server’s key encrypted in old master key
6 0×6 Client not found in Kerberos database Bad user name, or new account has not replicated to DC yet
7 0×7 Server not found in Kerberos database New computer account has not replicated yet or computer is pre-w2k
8 0×8 Multiple principal entries in database
9 0×9 The client or server has a null key administrator should reset the password on the account
10 0xA Ticket not eligible for postdating
11 0xB Requested start time is later than end time
12 0xC KDC policy rejects request Workstation/logon time restriction
13 0xD KDC cannot accommodate requested option
14 0xE KDC has no support for encryption type
15 0xF KDC has no support for checksum type
16 0×10 KDC has no support for padata type
17 0×11 KDC has no support for transited type
18 0×12 Clients credentials have been revoked Account disabled, expired, or locked out.
19 0×13 Credentials for server have been revoked
20 0×14 TGT has been revoked
21 0×15 Client not yet valid – try again later
22 0×16 Server not yet valid – try again later
23 0×17 Password has expired The user’s password has expired.
24 0×18 Pre-authentication information was invalid Usually means bad password
25 0×19 Additional pre-authentication required*
31 0x1F Integrity check on decrypted field failed
32 0×20 Ticket expired Frequently logged by computer accounts
33 0×21 Ticket not yet valid
33 0×21 Ticket not yet valid
34 0×22 Request is a replay
35 0×23 The ticket isn’t for us
36 0×24 Ticket and authenticator don’t match
37 0×25 Clock skew too great Workstation’s clock too far out of sync with the DC’s
38 0×26 Incorrect net address IP address change?
39 0×27 Protocol version mismatch
40 0×28 Invalid msg type
41 0×29 Message stream modified
42 0x2A Message out of order
44 0x2C Specified version of key is not available
45 0x2D Service key not available
46 0x2E Mutual authentication failed may be a memory allocation failure
47 0x2F Incorrect message direction
48 0×30 Alternative authentication method required*
49 0×31 Incorrect sequence number in message
50 0×32 Inappropriate type of checksum in message
60 0x3C Generic error (description in e-text)
61 0x3D Field is too long for this implementation

The list of Event ID 681 error codes:

3221225572 The user name doesn’t exist.
3221225578 The user name is correct, but the password is wrong.
3221226036 The user is currently locked out.
3221225586 The account is currently disabled.
3221225583 The user tried to log on outside the user’s time-of-day restrictions.
3221225584 The user tried to log on outside the user’s workstation restrictions.
3221225875 The user account has expired.
3221225585 The user tried to log on with an expired password.
3221226020 The user tried to log on with an account on which the administrator has selected the User must change password at next logon option.

The only bad thing with this type of investigation is that you definitely need to collect the events from all Domain Controllers, and in some cases even from the Workstations and servers where the account is logging in.