Event ID 4624 (viewed in Windows Event Viewer) documents every successful attempt at logging on to a local computer. This event is generated on the computer that was accessed, in other words, where the logon session was created. A related event, Event ID 4625, documents failed logon attempts. More…
Windows Event ID 4625- Failed logon
Event ID 4625 (viewed in Windows Event Viewer) documents every failed attempt at logging on to a local computer. This event is generated on the computer from where the logon attempt was made. A related event, Event ID 4624, documents successful logons. More…
Domain Password Policies: Configuring and Auditing Correctly!
Over the past 14 years, I have been around the world helping admins, auditors, and security professionals understand how the domain password policy works in Active Directory. The default behavior has not changed in those 14 years, so you can imagine how many people I have helped, not to mention how many times I have spoken about it. More…
Autoarchiving Security Logs in Event Viewer
A small, nearly hidden feature of the Event Viewer by Microsoft is the ability to autoarchive the logs. Of course, one of the most important Event Viewer logs is the security log. For years, we have had to develop solutions or acquire software to help archive the security log when it fills up; but now, that is no longer necessary. More…
Tracking Down Locked Out Service Accounts
We all have services running on our servers. Many of these services require Active Directory user accounts, which are referred to as service accounts. These service accounts are essential, as they allow services to perform their duties. However, when a service account fails to authenticate back to a domain controller, many issues can arise. If the service account fails to authenticate too many times, the user can then be locked out. More…