I've inherited a Windows NT environment that includes four BDCs and a trusting PDC. Manually monitoring security on this network is frustrating. Can I automate the detection of logon failures or account lockouts across the domain?
The Microsoft Windows NT Server 4.0 Resource Kit includes dumpel
.exe, a fascinating applet that you can use to accomplish such automation. After you install the resource kit, use the following sample code, which creates a batch file that dumps each domain member's event logs to a text file:
@echo off
dumpel.exe -s bdc1 -l security
-m security -e 529 539 >>
%temp%\securityevent.txt
dumpel.exe -s bdc2 -l security
-m security -e 529 539 >>
%temp%\securityevent.txt
dumpel.exe -s bdc3 -l security
-m security -e 529 539 >>
%temp%\securityevent.txt
dumpel.exe -s bdc4 -l security
-m security -e 529 539 >>
%temp%\securityevent.txt
dumpel.exe -s pdc1 -l security
-m security -e 529 539 >>
%temp%\securityevent.txt
dumpel.exe -s workstation1 -l security
-m security -e 529 539 >>
%temp%\securityevent.txt
The batch file filters the event logs on only failure-event IDs. This sample code appends all event ID 529 and event ID 539 occurrences to the securityevent.txt file, where you can examine them for logon problems. (Event ID 529 refers to logon failure as a result of an unknown username or bad password, and event ID 539 refers to logon failure because of a locked-out account.)
Can you define Windows NT's user and kernel modes?
Any OS needs to separate applications from OS services. The reason is obvious—you want the OS to remain functional if an application crashes. In NT, Microsoft assigned each application its own processes and memory space, adding the restriction that no application can read or write outside of that space.
User mode and kernel mode describe privilege levels associated with the processor. In simple terms, a process running in user mode can't read or write directly to OS memory. The Virtual Memory Manager, which runs in kernel mode, maintains this isolation.
Microsoft defines a user-mode service as protected (in memory space), and the OS starts the service at boot time. Two types of these protected subsystems exist in NT 4.0: environmental, a service that supports applications written for or native to another OS (e.g., DOS), and integral, a service that performs an OS-related function (e.g., security).