How to find the source of failed logon attempts

Auditing logon events in Active Directory (AD) is a mandatory task. The reason is obvious. Any anomaly in the audit report will help us detect security risks in multiple ways. An employee's account getting locked out after multiple logon failures is a threat to the company's data security.

A failed logon attempt can be flagged as one of the biggest security threats. A login failure could just be an employee who has forgotten their credentials. In an extreme scenario, it could be a hacker trying to enter the network through an employee's legitimate account.

Hence, it is important to track failed login attempts at all times. It can be done in AD using Audit Policy, however ADAudit Plus offers a simpler solution. ADAudit Plus, an Active Directory auditing and reporting tool has 200+ pre-packaged audit reports and failed logon events is one of them. A few clicks and you have detailed reports on all the important Active Directory events.

Here is a comparison on finding failed logon attempts in native AD and using ADAudit Plus.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

ADAudit Plus is real-time, web-based Windows Active Directory change reporting software that audits, tracks and reports on Windows (Active Directory, workstations logon/logoff, file servers and servers), NetApp filers and EMC servers to help meet the most-needed security, audit and compliance demands. Track authorized/unauthorized AD management changes, access of users, GPO, groups, computer and OU. Also, track every file and folder modifications, access and permissions changes with 200+ detailed event-specific reports and instant emails alerts. These reports can be exported into XLS, HTML, PDF and CSV formats to assist in interpretation and computer forensics.

ADAudit Plus lets administrators see all failed logon attempts with information on who attempted to log on, what machine they attempted to log on to, when, and the reason for the logon failure.

  • Login to ADAudit Plus ➔ Go to the Reports tab ➔ Under User Logon Reports ➔ Navigate to Logon Failures.

  • Select the Domain.

  • Select Export As to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).

  • The details you can get in this report are:

    1. User Name of that account that had a logon failure.

    2. IP address of the user.

    3. The time when the logon failure happened.

    4. The computer or server in which the failure took place.

    5. Logon failure Reason.

With native auditing, here is how you can track failed logon attempts.

  • Step 1: Enable auditing for logon failure?
  • Logon to your domain controller with administrative privileges and launch the Group Policy Management console.

  • Right-click the appropriate Group Policy Object linked to the Domain Controllers container and select Edit.

  • Expand the Computer Configuration → Windows Setting → Security Settings → Local Policies → Audit Policy node.

  • Configure audit policies as follows:

    1. Account Management: Success

    2. Audit account logon events: Failure

    3. Audit logon events: Failure

  • Step 2 – View events using Windows Event Viewer

    After enabling the auditing, you can use Event Viewer to see the logs and investigate events. Follow the below mentioned steps:

  • Open Event Viewer

  • Expand Windows Logs > Security

  • Create a custom view for Event ID 4625. This ID stands for login failure.

  • Double click on the event. You can view detailed information about the activity such as account name, date and time of login failure.

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support


One of our solution experts will get in touch with you shortly.

    Please enter business email address
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.