SuperG Web Log

Logon troubleshooting

Ok so today I had a problem with an account that kept getting locked out due to bad passwords. The user had just changed their password. To try and find out where the issues is, I turned up the debug on netlogon on the DC. This way I can see where the logon event is coming from. Below is some good info for netlogon debugging.

Log files can be searched for logon problems

Do this on the PDC

First enable Debug mode for netlogon:

nltest /dbflag:0×2080ffff

Restart netlogon service

You can pull the log lines for bad password entered using 0xc000006A:

type %windir%\debug\netlogon.log | find /i “0xc000006A” > badpassword.txt

You can pull the log lines for locked out accounts 0xc0000234:

type %windir%\debug\netlogon.log | find /i “0xc0000234″ > lockout.txt

You can pull the log lines for usernames by using the username:

type %windir%\debug\netlogon.log | find /i “<username>” > user.txt

Afterwards disable debug mode:

nltest /dbflag:0×0

Restart netlogon service

Other returns to look for:

0xC0000234 User logon with Account Locked

0xC000006A User logon with Misspelled or bad Password

0xC0000072 User logon to account disabled by Administrator

0xC0000193 User logon with Expired Account

0xC0000070 User logon from unauthorized workstation

0xC000006F User logon Outside authorized hours

0xC0000224 User logon with “Change Password at Next Logon” flagged

0xC0000071 User logon with Expired Password

0xC0000064 User logon with Misspelled or Bad User Account

Debug flags:

////////////////////////////////////////////////////////////////////////

// Windows Server 2008, Windows Vista, Windows Server 2003, Windows 2000 Debug flags and their values

////////////////////////////////////////////////////////////////////////

#define NL_INIT 0×00000001 // Initialization

#define NL_MISC 0×00000002 // Misc debug

#define NL_LOGON 0×00000004 // Logon processing

#define NL_SYNC 0×00000008 // Synchronization and replication

#define NL_MAILSLOT 0×00000010 // Mailslot messages

#define NL_SITE 0×00000020 // Sites

#define NL_CRITICAL 0×00000100 // Only real important errors

#define NL_SESSION_SETUP 0×00000200 // Trusted Domain maintenance

#define NL_DOMAIN 0×00000400 // Hosted Domain maintenance

#define NL_2 0×00000800

#define NL_SERVER_SESS 0×00001000 // Server session maintenance

#define NL_CHANGELOG 0×00002000 // Change Log references

#define NL_DNS 0×00004000 // DNS name registration

//

// Very verbose bits

//

#define NL_WORKER 0×00010000 // Debug worker thread

#define NL_DNS_MORE 0×00020000 // Verbose DNS name registration

#define NL_PULSE_MORE 0×00040000 // Verbose pulse processing

#define NL_SESSION_MORE 0×00080000 // Verbose session management

#define NL_REPL_TIME 0×00100000 // replication timing output

#define NL_REPL_OBJ_TIME 0×00200000 // replication objects get/set timing output

#define NL_ENCRYPT 0×00400000 // debug encrypt and decrypt across net

#define NL_SYNC_MORE 0×00800000 // additional replication dbgprint

#define NL_PACK_VERBOSE 0×01000000 // Verbose Pack/Unpack

#define NL_MAILSLOT_TEXT 0×02000000 // Verbose Mailslot messages

#define NL_CHALLENGE_RES 0×04000000 // challenge response debug

#define NL_SITE_MORE 0×08000000 // Verbose sites

//

// Control bits.

//

#define NL_INHIBIT_CANCEL 0×10000000 // Don’t cancel API calls

#define NL_TIMESTAMP 0×20000000 // TimeStamp each output line

#define NL_ONECHANGE_REPL 0×40000000 // Only replicate one change per call

#define NL_BREAKPOINT 0×80000000 // Enter debugger on startup