Currently, I am using this tool by Microsoft to trace and track which system/users is having account lockout problem either caused by user or by worm_Conficker. Account Lockout and Management Tools
After downloading the executable file, you should extract it to any folder. Before using the tool, you would need to active debug logging on your Domain Controller first.
To active, you need to add a registry key into you Domain Controller. Here is the link to Microsoft webpage.
In short -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag hexadecimal value of 2080FFFF to enable 0 to disable.
Or you could use this command to enable and disable Net Logon Service and debugging too. Remember to restart the netlogon service after enable/disable of the debug logging.
Enable debug logging -> nltest /dbflag:0x2080ffff
Disable debug logging -> nltest /dbflag:0x0
Stop Net Logon Service -> net stop netlogon
Start Net Logon Service -> net start netlogon
Nltest is included as part of Windows Server 2008 and is also available as part of the Support Tools packages on the installation media for Windows Server 2003, Windows XP, and Windows 2000.
The netlogon.log is normally under debug folder in the Windows system directory of your Domain Controller which you enable the debug logging.
To delete the netlogon.log file after debugging, you would need to stop the netlogon service before deletion. After deletion you can start back the net logon service again. The commands to do so is as follows.
net stop netlogondel netlogon.lognet start netlogon
No comments:
Post a Comment