This was posted in the Exchange forum (because its an Exchange server) but one of the mods thought I would have better luck posting here.
- W2K8 SP2
- E2K7 SP2
I attempt to logon to OWA (Outlook Web Access or App in E2K10) and enter an incorrect password intentionally.
This creates two "Audit Failure"entries in the security log of the mail server: Event ID 4625
I right click on the Security log and CHANGING NOTHING ELSE select "Filter Current Log" and for "Keywords" -> Audit Failure
This filter only Audit Failure entries, including my failed OWA logon attempt.
OK so far.
Now, changing nothing else once again, I enter my user name in the user box.
Click OK and... 0 entries.
????
The entry (entries) shows up in the unfiltered log.
They show up when I filter by keyword "Audit Failure".
But when I filter by name - I'm not there.
If my name was John Smith, the user name entered was "jsmith" (without quotes).
Can anyone reproduce this?
Do I have to enter the user name differently?
I also tried:
jsmith@mydomain.com (not valid) and jsmith@mydomain.local - apparently valid but no results.
If I enter jsmith (a domain account) Event Viewer does add the mydomain\jsmith - domain prefix part - but does not yield any results.