Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, August 1, 2018 11:46 AM
Hello
We recently had a Service account locked out, and when I went to check the security logs to check where the failed logons had come from, I couldn't see any "Audit Failure" events, specifically ID 4625.
When I checked the Domain Controllers GPO, I could see that Audit Logon Events was set to just Success, so have added in Failure and given sufficient time for group policy to update - no change.
I've also looked at Advanced Audit Policy Configuration - Audit Policies - Logon/Logoff and enabled success and failure for Audit Logon there - no change.
Running this at a command prompt shows the right settings
C:\Windows\system32>auditpol /get /category:Logon/Logoff
System audit policy
Category/Subcategory Setting
Logon/Logoff
Logon Success and Failure
Logoff No Auditing
Account Lockout Success
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events Success and Failure
Network Policy Server No Auditing
User / Device Claims No Auditing
Group Membership No Auditing
We have 4 DCs spread across three AD sites, all running Server 2016 and we get the same behaviour on all of them.
Any suggestions as this is quite odd.
All replies (1)
Wednesday, August 1, 2018 4:22 PM
Event ID 4625 is generated on the computer where access was attempted. If the attempt is with a domain account, you will see an authentication failure event such as 4771 or 4776 on your domain controller.
Advanced Security Audit Policy Settings: /en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772623(v=ws.10)
Additionally, you can try auditing solution like; LepideAuditor for Active Directory and Manageengine to track logon/logoff events easily.
Thanks for this.
I'd not realised that 4625 was only on the client - it's been a long time since I've set up audit logs and I'm a little rusty but this is a new job and I'm still finding things that don't work as expected.
During my testing I was trying to RDP onto one of the domain controllers (or use the Console through HyperV) with incorrect credentials, and also using my W10 client PC to try and generate some events by failing to log on locally.
I'm getting 4625 on the client but nothing at all on the DCs including 4771/6.
I'll try the "Audit: Force audit policy subcategory settings (Windows Vista or later)" setting and see if that makes any difference.