Id. 4625 in Windows 2008 R2 Server
Hi,
I have installed a Windows 2008 R2 in my network. The server isn't DC only is a Print Server.
I've seen in the Event viewer that there are Id. 4624 event These events occur every 2 minuts. This it the event log:
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4625
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2011-01-24T09:05:38.099625000Z
EventRecordID 151033
Correlation
- Execution
[ ProcessID] 460
[ ThreadID] 1368
Channel Security
Computer SPRINTNEW.icmab.es
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-0-0
TargetUserName PCD319F$
TargetDomainName ICMAB-CSIC
Status 0xc000006d
FailureReason %%2313
SubStatus 0xc0000064
LogonType 3
LogonProcessName NtLmSsp
AuthenticationPackageName NTLM
WorkstationName PCD319F
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x0
ProcessName -
IpAddress 158.109.19.145
IpPort 50296
I saw that the source port is changing in every event. This Windows 2008 R2 is installed in Vmware ESXi Server.
Can you help me, please?
January 24th, 2011 4:28am
Hi,
Event 4625 means "An account failed to logon"
From the event, we can know that a computer, called PCD319F and the IP address is 158.109.19.145, attempted to access this computer from network by using its computer account PCD319F$ but failed because of 0xc0000064, "The specified user does not exist". As
a result, I suggest that you check why the computer keep trying to access this computer.
Hope the information is helpful.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
January 27th, 2011 12:28am
Hi Joson,
Thanks for your answer. This event occurs with all the users in my company. This server is the print server of the company.
It is possible that the problem is here?
What is the rol of NTML package in this situation?
Thanks
January 27th, 2011 8:07am
Hi,
According to the computer name, SPRINTNEW.icmab.es, it seems that the computer is not in the same domain as PCD319F. Assume that your company domain is ICMAB-CSIC. The issue may occur if there is no trust between the domains.
It could be helpful, if you tell us more information about the environment. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
January 28th, 2011 12:36am
Hi Joson,
I think the problem is this. The domain name is ICMAB-CSIC but all the machines have their DNS suffix like icmab.es (it's an inherit domain).
Thanks!
January 28th, 2011 3:10am
Hi,
Do you mean they are two different domains?
May I know what you are trying to do? Is it possible to join the printer server to the same domain as other machines? Or could you create a trust between the domains?
For single-label domain, please refer to the following KB article:
Information about configuring Active Directory domains by using single-label DNS names
http://support.microsoft.com/kb/300684This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
January 30th, 2011 9:53pm
Hi Joson,
Thanks for your answer. The PDC is not windows system.
Now, in Local Security Policy I have configurated the level of the audit. We only are register the events that are correct. (4624 and 4634)
Thanks!
February 1st, 2011 8:21am
Hi,
After a few days, I have discovered that its an account rights problem. In the shared printer, there are rigths for the EVERYONE group, and not for Domain Users. Then, the users can be print but every user that are connected to the share printer register
an event of audit system NTLM.
I have changed the Security Settings -> Audit Policy -> Audit account logon events and Audit logon events
Thanks!
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2011 6:48am