[Edit Feb 14/2012] Full list of audit events in windows 2008 can be downloaded here, also KB947226
Please read the differences between "Account Logon/logoff" event and "Logon/Logoff" event first.
- First, using lockoutstatus to find out initial authenticating DC (more than often PDC is not the initial authenticating DC. It has same event IDs mentioned below merely because other DCs check with PDC for latest password.) and time of logon attempt
- Then go to authenticating DC, check security log. Pin-point the log entry using time identified by lockoutstatus
- We are looking for: event ID 675 (4771 in w2k8?), the client IP is the offending machine that sent bad pwds
- Failure code in event ID 675(This is corresponding kerberos error code, full list here) - 0x18: original wrong password
- 0x12: this will be logged after the fact that account has already been locked
- 2 being interactive
- 3 network
- 5 service
- 10 Remote interactive
- Other events to look for:
client side
- 529(wrong pwd, on source member server, category Logon/logoff)
- 531(account is disabled, member server)
- 530(outside of allowed logon time window)
- 532(expired account)
- 533(lack of user rights)
- 644(account is locked, logged on DC),
- 675(wrong pwd, logged on DC, category Account Logon (changed to Credential Validation in 2k8), an event ID 4 kerberos should be logged as well in System Log),
- 676, obsoleted
- 681 obsoleted
If there are large quantity of event 675, it's most likely from application
- Going extreme:
- Enable netlogon log on PDC, authenticating DC, member server
- First to look netlogon log on PDC, in which you can find the authenticating DC as well
- How often the logon attempt happens
- Error codes: full list here