Issuing the command, nltest /dbflag:0x20000004 at a command prompt will maintain a log in a folder on the server. The directory is, %systemroot%\debug\netlogon.log. This folder and file are always there but aer empty. By running this command, it will track user logon activity and very simple to do and see.

This method doesn't require additional services to be added or a server restart. The log file is always there but always empty. After issuing the command, user logon activity is logged and easier to view than the system or security log in Event Viewer.

To view failed logon attempts issue the command:

findstr /I "0xC0000064" c:\winnt\debug\netlogon.log >> d:\save\failed.txt

This will create a file that will contain only failed logon attempts and from which system they came from. Change the paths to match your system and location you wish to place the output file. The file could be emailed automatically at a scheduled interval using a batch file and Task Scheduler.

When the log grows to 19MB, it's backed up to a netlogon.bak file in the same folder and a new file is created. This is a low maintenance method to track logon attempts to the server to check for inside intruders and scanners that may be running against your desktops or servers trying to find unauthorized access.


For a more detailed example please see:

http://www.bloglines.com/blog/Puppet

For more information on the command please download the following document from Microsoft:

http://download.microsoft.com/download/a/8/7/a87526d3-b794-4d93-865a-07c9c2b076e4/TrackNetLogDebug.doc

http://jcsearch.com/blogs/desktopsupport

More Technical Support Recomendations and Reviews:

SimpleTech NAS Storage STI-NAS/500 Reviewed



http://remotesupport.spaces.live.com/blog/cns!4332AD0A933BC068!165.entry

To add a comment please login by clicking here