This type of problem is easily solved if you've set the DBFlag for logon
events for netlogon. Otherwise it is almost impossible to track in an
environment with NT Desktops -- the event ends up in the event logs of
the offending desktop, not the DC. In an environment with 9x desktops,
this is still difficult to track, since the events can be in the logs of
any DC, but are not centraliuzed. Debugging netlogon, solves all that,
and is fairly easy -- only requiring a registry change on 2000 DCs.
Here are relevant articles --
http://support.microsoft.com/default.aspx?scid=kb;en-us;189541
http://support.microsoft.com/default.aspx?scid=kb;en-us;109626
Additionally, you will need to set up some method to recover the
netlogon text files and to make certain the DCs hard drive doesn't get
filled by them.
The following is a script to move the netlogon.log file when it fills.
My apologies if this gets poorly formatted in email
---------------
_____
'Script to move a NETLOGON.LOG
'file when it reaches a certain size
'declare variables
Dim FSO 'FileSystem Object
Dim sSystemRoot 'System Root path
Dim sFilePath 'Full Path to the Netlogon.log file
Dim sWMIFilePath 'Path to Netlogon.log expressed with \\
for WMI
Dim sComputer 'Target Computer
Dim oWMIService 'Windows Management Service Object
Dim colMonitoredEvents 'Collection of monitored events
Dim oLatestEvent 'Trigger instance
Dim lTriggerSize 'Size at which to move the netlogon.log
file in bytes
Dim lCurrentSize 'Size of file currently
Dim sTargetName 'Archive file name
' - based on the lastmodified time of
the file
Dim sArchivePath 'Path to archive files
Dim sTempPath 'initial path of renamed but unmoved file
Dim sTargetPath 'Full path of archive file
'initialize variables and objects
sComputer = "." 'local machine
'Path to archive files
sArchivePath = "\\servername\sharename\subfolder"
set FSO = CreateObject("Scripting.FileSystemObject")
lTriggerSize = 67108864
'The file path is based on the system root
sSystemRoot = FSO.GetSpecialFolder(0)
sFilePath = sSystemRoot & "\debug\netlogon.log"
sWMIFilePath = Replace(sFilePath, "\", "\\")
'Instantiate WMI
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & _
sComputer & "\root\cimv2")
'Now create an event sink for when the file is modified
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE " _
& "TargetInstance ISA 'CIM_DataFile' and " _
& "TargetInstance.Name='" & sWMIFilePath & "'")
Do
Set oLatestEvent = colMonitoredEvents.NextEvent
'Now determine if the file size is exceeded
lCurrentSize = cLng(oLatestEvent.TargetInstance.FileSize)
if lCurrentSize >= lTriggerSize then
'Now our criteria are met so begin to manipulate the log
'first determine the last modified time for use as a
filename
sTargetName =
Left(oLatestEvent.TargetInstance.LastModified, _
14) & ".log"
sTempPath = sSystemRoot & "\debug\" & sTargetName
'Rename the netlogon.log file appropriately
FSO.MoveFile sFilePath, sSystemRoot & "\debug\" &
sTargetName
'Now move the renamed file
sTargetPath = sArchivePath & "\" & sTargetName
FSO.MoveFile sTempPath, sTargetPath
end if
Loop
-----------------
Then all you need to do is filter the netlogon.log files.
-Patrick R. Sweeney http://boston.craigslist.org/bos/res/8484283.html
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf Y
Sent: Wednesday, April 02, 2003 7:48 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Account Lockouts
Hi everyone,
I was hoping that you someone could help me out with this:
We have a mixed environment of W2K DC's and there is a requirement from
our Systems Support Centre to track Account Lockouts.
As this can take place on any DC I was wondering if someone out there
was using a tool to interrogate the directory to retrieve this
information from the DC that registers the lockout.
At the moment we have a tedious exercise of filtering each DC's log for
event ID 644.
Thanks in advance,
Yusuf
Success is: "Set high aspirations in life. The Challenge is in our
minds. We are limited not by reality but by our own imaginations".
______________________________________________
Disclaimer and confidentiality note
Everything in this e-mail and any attachments relating to the
official business of Standard Bank Group Limited is proprietary to the
company. It is confidential, legally privileged and protected by law.
Standard Bank does not own and endorse any other content. Views and
opinions are those of the sender unless clearly stated as being that of
Standard Bank.
The person addressed in the e-mail is the sole authorised
recipient. Please notify the sender immediately if it has
unintentionally reached you and do not read, disclose or use the content
in any way.
Standard Bank can not assure that the integrity of this
communication has been maintained nor that it is free of errors, virus,
interception or interference.
_______________________________________________
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
