Windows Event 4625 - Not log in Event Viewer

Hi all,

I was testing out Win2008R2 in my vm test environment, when I do a failed login attempt via RDP and domain account, the RDP target have logged an audit_failure event 4625 in the system, as well as a 4771 on the domain controller's.

However when I try this in an UAT environment for 2012R2 server, I only received a 4771 event and nothing on the RDP target.

I have cross-check between both server's Local Security Policy, both "Audit account logon events" and "Audit logon events" for success & failure is turn on for both OS.

Is there any other possibility / setting that I may have missed out?

Thanks!
Zack

June 22nd, 2015 12:06pm

Hi Zack,

Event 4771 is an authentication failure which in this case occurs at the domain controller. Event 4625 is in the Logon category which can occur at any server, domain controller or workstation.

What's your error message?

Does this happen also when another user logs to the DC over RDP?

Failed logon attempts mostly got generated by unknown user name or bad password.You may try to check that if there are any incorrect user credentials.

You check the link below:

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information

Here is also the similar post discussed before, you could refer to.

https://social.technet.microsoft.com/Forums/en-US/afa27c0a-4dd0-4a00-be1c-048e2fe9ac75/event-id-4625-not-being-recorded-gp-audit-enabled?forum=winserverTS

Best Regards,

Mary Dong

Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2015 3:12am

Hi Mary,

Currently we are not able to see any event log under 4625 for failed rdp login (not found in type 10 or 3), other type of fail login however, is able to trigger the 4625.

Right now we are trying to create this event so can we can use this information to find out on the source of the failed attempt as 4771 does not provide us with enough information.

Hence we are investigating on why the event 4625 is not logged in the machine when we have used a wrong password attempt via RDP in Win2012R2 whereas it works as required in Win2008R2.

Thanks!
Zack

June 23rd, 2015 5:31am

Hi Zack,

What's your failure error code about event 4771?

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771

For example 0x18 normally means bad password, you could check the DNS configuration and time setup

And maybe Kerbeors logging can help you to check more information:

https://support.microsoft.com/en-us/kb/262177

Best Regards,

Mary Dong

Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2015 11:31pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics