Diagnostics via netlogon.log

We had a user with an account that kept being locked out from the domain. Our policy is to lock accounts on the fifth failed attempt and this would happen within seconds of resetting the lockout status. Finding which machine is the source of this lockout can be a pain without good use of the logging available in Windows.

The simplest way to manage the logging of logon events is to enable the NetLogon logging feature. In theory, that should only require a command like nltest /dbflag:0x2080ffff to enable, nltest /dbflag:0x0 to disable. The log itself lives at %systemroot%\debug\netlogon.log. These are run on the domain controller that you wish to run the logging on.

However, sometimes that command won't work as there is a stray registry entry in place. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters contains the DBFlag that the nltest commands above manipulate. If this flag is locked to the current user or contains invalid data, the command can fail. Remove the DBFlag entry from the registry and then run the command to turn on/off logging and the entry will be regenerated correctly.

In our recent case, we found the machine name generating the repeated attempts in the log file and then examined the services on that machine. A backup utility was running under the user's obsolete username/password pair, generating the failed logon attempts. Setting the correct credentials cleared the issue.