How to find the reason for failed logon attempts

Auditing logon events is one of the most important tasks for administrators. They tend to miss significant logon events such as a failed logon attempt by unauthorized users due to alert fatigue. To spot malicious intrusions, it is essential to analyze the reason behind the failed logon attempts and ascertain if the attempt was a legitimate one or otherwise.

This article elaborates the ways of finding the logon failure reason using native AD tools and ManageEngine ADAudit Plus, a real-time AD auditing solution.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

ADAudit Plus has a simple and straightforward method to get the reason behind logon failures.

You need to enable auditing for the logon events for ADAudit Plus to capture and analyze those events. Check out the first step of the previous section.

Once you enable auditing, follow the below steps to get reports on logon failures using ADAudit Plus

  • Login to ADAudit Plus web console.

  • Click on the Reports tab, navigate to User Logon Reports and select Logon Failures.

  • This report helps administrators verify the reason for the logon failure. Based on the reason, the administrator can decide whether it is a potential security threat or not.

    ADAudit Plus can generate clear, user-friendly reports for all the important events in the domain and also has a real-time alert feature which alerts the admins in case of any unanticipated activity. Explore other capabilities of ADAudit Plus here.

Here is how you can find the reason for failed logon attempts in native AD.

  • Step 1: Enable 'Audit Logon Events' policy
  • Open 'Server Manager' on your Windows server.

  • Under the 'Manage' tab, select 'Group Policy Management' to view the 'Group Policy Management Console'.

  • Navigate to Forest>Domain>Your Domain>Domain Controllers.

  • Either create a new group policy object or you can edit an existing GPO.

  • In the group policy editor, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.

  • In Audit policies, select 'Audit logon events' and enable it for 'Failure'.

  • Step 2: Use Event Viewer to find the reason for the logon failure

    Once Audit Policy is enabled, the Event Viewer records those events against their respective event IDs. Look for event ID 4625 that denotes a failed logon attempt.

    Run a filter for event ID 4625 to get a list of all the failed logon attempts recorded in the Event Viewer. Right-click on the relevant event and select Event Properties. Scroll down the General information of the event to verify the reason for the failed logon.

    You will have to repeat this process multiple times to ascertain the reason for each failed logon attempts.

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support


One of our solution experts will get in touch with you shortly.

    Please enter business email address
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.