What is Event ID 4625: An Account Failed to Log On. Are you seeing a lot of event ID 4625 (An account failed to log on) in your Domain Controller’s Security logs and unsure what it means or how to resolve it? Well, in this article, we explains everything you need to know about this Active Directory security event log and how to fix the issue that triggers it.
First, we discuss the causes and various properties of Event ID 4625. This security event log provides information about the type of logon attempt, user account information, logon process, failure reason, client address, and event status and sub-status codes.
Next, we explain how to interpret these properties and use them to determine the root cause of the error that triggered the event log. This involves checking the username and password, account status, group membership, network connectivity, and related security events.
Once you have identified the problem, we also provide some general steps to fix event ID 4625. This may involve resetting passwords, re-enabling disabled accounts, adjusting group policies, troubleshooting network connectivity, or scanning for malware.
So, if you’re seeing a lot of event ID 4625 in your Domain Controller Security logs and want to fix the issue, keep reading to find out how!
Potential Causes of Event ID 4625: An Account Failed to Log On
The first step to troubleshooting and fixing the cause of event ID 4625 is to understand the possible things that could stop a user, service, or computer account from failing to log on. Here are the top reasons that may generate event ID 4625:
- Incorrect username or password: if a user enters a wrong password, the account cannot log in. This makes the computer the user attempt to sign in to log event ID 4625.
Moreover, if the password in a service account is wrong, it fails when the service account tries to authenticate to AD, and the Domain Controller also registers this event log.
- The user account has expired: when an admin creates an AD account, they set it to expire at a specified date.
If an Active Directory user attempts to use an expired account to sign in to AD, the user is denied access. Then, the Domain Controller logs an event ID 4625.
- The account that attempted login has been disabled.
- The user is restricted from logging in to a computer: did you know that as an admin, you use group policy to prevent a user or group from logging in to a computer?
This is done using the “Deny log on locally” policy. If this policy is applied to a user and they try to log in to the computer, they are denied access.
When this happens, the computer registers event ID 4625 in its local Security event log when a user is denied access due to the policy.
Understanding the Properties of Event ID 4625: An Account Failed to Log On
When this event is logged in the Security event log, it typically includes information about the user account that failed to log on, the type of login attempt, and the reason for the failure. This information helps troubleshoot the issue and determines the appropriate action to fix the problem.
However, to use the information in the event log, you need to understand the relevant properties of the event ID and what they mean.
Note that this event has numerous properties, but we discuss the properties you must learn to fix why an account failed to log on to the domain.
Event ID 4625 Logon Type
The event type is your starting point to determine why AD denied a user or service login access (more on how to use this information in the next section).
Get the event Logon Type by looking into the details of the event log.
Unfortunately, as shown in the highlighted portion of the screenshot above, the Windows Event log records Logon Types as a numerical value. So, for this information to be useful for troubleshooting, you must figure out what the numbers mean.
Fortunately, Microsoft has a page for this event log – 4625(F): An account failed to log on – that explains the logon types and their meaning.
For example, my screen above shows that Logon Type 5 triggered the event ID 4625. From the Microsoft page, this means a service account initiated the logon that triggered the event.
Event ID 4625 User Account Information
Once you have identified the Logon Type of the event that triggered the Event ID 4625, the next crucial information in the event log is the user information. Locate this information in the “Account For Which Logon Failed:” section of the event log.
In this section, you find 3 pieces of information, but the most important one is the Account Name. If you are managing a multi-domain AD Forest, it is also essential to take note of the Account Domain. By keeping track of these details, you are better equipped to troubleshoot failed logon attempts.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Event ID 4625 Failure Information
The Failure information property of event ID 4625 has 3 sub-properties: Failure Reason, Status Code, and Sub Status Code. While the “Failure Reason” gives you superficial information, for example, “Unknown user name or bad password,” the status code provides a specific reason for the failure.
This information is essential because “Unknown user name or bad password” may not necessarily mean the user entered an incorrect user name or password.
However, as shown in the highlighted part of the above screenshot, the status code is some code that you must interpret before using it. To learn about the status codes and their meaning, visit the event ID 4625 status codes link.
Based on Microsoft’s information in the previous link, the status code in my screenshot – 0xC000006D – means “The attempted logon is invalid. This is either due to a bad username or authentication information.”
This info is still ambiguous. For a more specific reason for the log-on failure, check the meaning of the event ID’s sub-status code.
Read about the sub status codes in the same link I provided earlier – event ID 4625 status codes. When I looked up the sub status code shown in my event 4625, it says “The specified account does not exist.”
There we have my answer, the account the user attempted to log in with does not exist in Active Directory.
How to Troubleshoot and Fix Event ID 4625
To address the issue, you need to take a systematic approach to troubleshoot the root cause of the failed logon attempts.
Follow the general guidelines below to troubleshoot and fix the event ID 4625: An Account Failed to Log On.
Step 1: Review the Information in the Event Log
By following the 3 steps I discussed in the last section, get the following information from the event log:
Logon Type, The Account For Which Logon Failed, Failure Reason, Status, and Sub Status codes and their meaning.
In my case, we record the following:
Logon Type: 5 – a service account initiated the logon that triggered the event.
The Account For Which Logon Failed: ADSyncMSA817b9$
Failure Reason: Unknown user name or bad password.
Status and Meaning: 0xC000006D – The attempted logon is invalid. This is either due to a bad username or authentication information.
Sub Status and Meaning: 0xC0000064 – The specified account does not exist.
Step 2: Take Appropriate Steps to Resolve the Cause of Event ID 4625
Now that you have identified the account that caused the DC to record Event ID 4625, it’s time to take action and resolve the issue. For instance, in the case where a service account such as ADSyncMSA817b9$ is attempting to authenticate to the AD domain but the account does not exist, there are several steps to fix the problem.
Firstly, identify the service that uses this account and then create the missing account in the AD. Once you have created the account, enter the necessary details in the application that is making the authentication request. This allows the service to authenticate to the AD domain without issues.
General Guidelines to Fixing Event ID 4625
Here are some specific situations that could trigger Event ID 4625, along with some recommended actions to fix the problem:
1. Event log 4625 indicates that the failed logon attempt was due to an incorrect username or password: you should double-check the username used for logging on. If the username is correct, try resetting the user’s password and attempting to log in again.
2. The event log indicates that the user account is disabled or expired: check the account status in Active Directory Users and Computers or use another suitable AD tool. If the account is disabled, re-enable it.
If the account is expired, extend the expiration date or create a new account for the user.
3. Event log 4625 shows that the user is not permitted to logon into a computer: firstly, remove them from that group.
Alternatively, adjust the group policy to allow login access to the group.
4. The event log indicates that the failed logon attempt was due to network connectivity issues: Troubleshoot any network connectivity issues (firewalls or network routing problems).
5. Check the event logs for related events, such as authentication failures or security events, that might provide additional information about the failed logon attempt.
6. If there are multiple failed logon attempts from the same user account, it could be a sign of a hacking attempt or malware infection. Perform a full malware scan and investigate further.
What is Event ID 4625: An Account Failed to Log On Conclusion
In general, fixing Event ID 4625 requires careful analysis of the information provided in the event log and a systematic approach to troubleshooting the issue. Following the steps discussed in this article, you should be able to successfully troubleshoot and fix event ID “4625: An Account Failed to Log On” event log issues.
By doing so, you improve the security of your Active Directory infrastructure and prevent further failed logon attempts.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free