If you are auditing logon events you can query the domain controller security logs for NTLM logon events. You'll need to use eventcombmt or some other utility to query all DCs for these events.
Win2000 DCs records successful NTLM logons in event 680 and failed logons in event 681. Win2003 DCs records successful and failed NTLM logons in event 680. John Roberts JLR Technology Solutions -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Friday, March 03, 2006 9:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] "NTLM Authentication" Security Principal I have an interest in finding out how many of the users in our primary forest are authenticating via NTLM instead of Kerberos. I know that in Windows 2003 there is a new well-known security principal called "NTLM Authentication" which dynamically contains the list of people who authenticated via NTLM. My question is, does anyone know how to query this security principal so I could get that list of people? Even if it's an ever-changing list, a snapshot at different times would be useful to see volumes. I was thinking of comparing that list to the "This Organization" security principal so I could tell what % of authentication were NTLM. If there's another way to do this, I'm open to suggestions as well. Thanks in advance for any comments. Scott List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/