Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

How to enable netlogon logging

Download for Free

Free, fully functional 30-day trial

  • With Native AD Auditing

  • With ADAudit Plus

    How to troubleshoot logon issues with ADAudit Plus

    In the ADAudit Plus web console, click on 'Reports' and navigate to the User Management' section on the left pane. You can then select 'Account Lockout Analyzer' report.

    In the report that opens up, you can click on 'Analyzer Details' to see if the source of any account lockout was due to Netlogon.

  • how-to-enable-logging-for-netlogon-and-troubleshoot-common-logon-issues-3
  • how-to-enable-logging-for-netlogon-and-troubleshoot-common-logon-issues-4
  • how-to-enable-logging-for-netlogon-and-troubleshoot-common-logon-issues-5

As an IT administrator one of the most common issues you'll have to resolve quite frequently is unlocking user accounts and checking why a user was not properly authenticated into the domain. Event 4740 in the Event Viewer describes a user account that was locked out. However if you're looking for more detailed information about the account lockout such as tracking the source of a bad password, you can refer to the Netlogon log file.

Netlogon is a Local Security Authority service that runs in the background. It is responsible for authenticating users in to the domain. Executing a few commands from an elevated Command Prompt enables the logging of Netlogon events. After this you can access the Netlogon file to check logon events and troubleshoot them. Of course reading through a log file and looking for a specific event is a cumbersome process. So to simplify this, you can click on the ADAudit Plus tab. ADAudit Plus is a real-time Active Directory (AD) change auditing solution that helps you track changes to your AD infrastructure and provides you an intuitive interface to view all your network activity.

  • Step 1: Enable Netlogon Logging
  • In an elevated Command Prompt, enter the following command:

  • Nltest /DBFlag:2080FFFF
  • After executing the above command, you can stop and start your Netlogon service, just to ensure that the logs are being written to the Netlogon file. The following commands help you do that.

  • net stop netlogon
    net start netlogon
  • Step 2: Increase log file capacity
  • The default log file capacity of Netlogon is 20MB. When maximum file capacity is reached, the existing Netlogon file is renamed as Netlogon.bak and a new Netlogon.log is created to record new events.

  • Something to keep in mind is that the disk space that you allot to Netlogon files should be doubled. This is because the disk space is used to store the current Netlogon file and and equal amount is used to store backup log files. For example, if you want to allot 50MB to Netlogon files, configure diskspace to 100 MB so that 50MB is maintained for Netlogon.log and another 50MB for Netlogon.bak.

  • Run GPMC.msc to launch the Group Policy Management Console.

  • Right-click your Default Domain Policy and select 'Edit' to configure it. In the Group Policy Management Editor, select Computer Configuration--->AdministrativeTemplates-->System-->NetlogonDouble-click the 'Specify maximum log file size' setting and set it to Enabled. Enter the file size in the Bytes drop down and click OK.

    how-to-enable-logging-for-netlogon-and-troubleshoot-common-logon-issues-1
  • Step 3: Access your Netlogon files and understand common Netlogon codes
  • You can view your Netlogon files by entering the following command in the 'Run' Dialog box.

  • %SYSTEMROOT%\debug\netlogon.log
  • Below is a snippet of the Netlogon log file showing a successful logon event.

    how-to-enable-logging-for-netlogon-and-troubleshoot-common-logon-issues-2
  • Here are a few codes you can use to understand the LOGON activity in your log file.

    Log Code Description
    0x0 Successful login
    0xC000006D Unsuccessful attempt to login due to bad username
    0xC0000072 Disabled user account
    0xC000006F Unsuccessful login attempt due to time restrictions
    0xC0000071 An account's password has expired
    0xC000006A Incorrect password entered
    0xC000006C Password policy has not been followed
    0xC0000224 Password must be changed before the first login attempt
    0xC000006E Login has failed due to user account restrictions
    0xC0000193 User account has expired
    0xC0000234 User account has been automatically locked
    0xC0000064 User does not exist

Active Directory auditing just got easier!

ADAudit Plus comes bundled with more than 300 predefined reports that makes your AD auditing easier. The solution also sends real-time alerts for critical events and thereby help you to secure your network from threats and boost your IT security posture. Check out the capabilities of ADAudit Plus here.

Download ADAudit Plus

Does native auditing become a little too much?

Simplify logon event auditing and reporting withADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Request 1-on-1 demo

  •  
  •  
  •  
  •  
  •  
  • -Select-
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.

Thanks

One of our solution experts will get in touch with you shortly.

ADAudit Plus Trusted By