Tracking Down a Bad Password on the Domain

Ever run into the situation where an account on your domain starts getting disabled due to bad password attempts, and you can’t figure out where it’s coming from? For example, you just changed your domain password and your account suddenly starts getting locked out every 15 minutes. Usually that’s because there is still some service somewhere running under your old password (of course, you know better than to ever run a service under your logon account, right?) and you can’t easily find it. Follow these instructions and it’ll help provide clues to where the problem lies.

Auditing should be enabled on the domain level and on the domain controller organizational unit. By setting it in both locations, you avoid the situation where the policy on the domain controller organizational unit (OU) overrides the one set at the domain level.

·                     Windows 2000 and Windows Server 2003 domain.

·                     The Audit Policy section is located in the Default Domain Policy, under Computer Configuration, Windows Settings, Security Settings, Local Policies, and then Audit Policy.

·                                 Account Logon Events – Failure.

·                                 Account Management – Success & Failure.

·                                 Logon Events – Failure.

·                                 Process tracking – Success (only relevant on Windows Server 2003 domain controllers)

  • Increase the event log size on all domain controllers involved (PDC Emulator and the two DC’s affected within the site) in the lockouts to handle the additional audit events that will be generated when auditing is enabled.
  • Set the Maximum log size to 10,000 KB or more, and the retention method to overwrite events as needed.

You then will need to enable NETLOGON logging on all 3 DC’s as well.  To do this:

1. Start the Regedt32 program.2. Delete the Reg_SZ value of the following registry entry, create a REG_DWORD value with the same name, and then add the 2080FFFF hexadecimal value. 


3. At a command prompt, type net stop netlogon, and then type net start netlogon. This enables debug logging.

4. To disable debug logging, change the data value to 0x0 in the following registry key:


5. Quite Regedt32

6. Stop Net Logon and then restart Net Logon.

The log for this is located at: %windir%debugnetlogon.log

Once this is done, wait until a lockout occurs.  Once lockout occurs, review the security event and netlogon logs from all three DC’s.

Leave a Reply

Your email address will not be published.