Logon Logoff Event: 4625

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Logon Logoff » Logon Logoff Event: 4625

Event ID 4625 – An Account Failed To Log On

Event ID 4625
Category Logon/Logoff
Sub-Category Audit Logon; Audit Account Lockout
Type Failure Audit
Description An account failed to log on.

Event 4625 is generated when a user fails to logon. The hexadecimal status and sub-status codes generated when the event is registered provide information on why the logon failure occurred.

Codes Failure reason
0xC0000064 User logon with misspelled or bad user account
0xC000006A User logon with misspelled or bad password
0xC0000234 User logon with locked account
0xC0000072 User logon to account disabled by admin
0xC000006F User logon outside authorized hours
0xC0000070 User logon from an unauthorized workstation
0xC0000193 User logon with expired account
0xC0000071 User logon with expired password
0xC0000133 Clocks between DC and other computer too far out of sync
0xC0000224 User is required to change password at next logon
0xC0000225 Evidently a bug in Windows and not a risk
0xc000015B The user has not been granted the requested logon type (aka logon right) at this machine

This log data provides the following information:

  • Security ID
  • Account Name
  • Account Domain
  • Logon ID

Why does event ID 4625 need to be monitored?

  • To detect brute-force, dictionary, and other password guess attacks
  • To detect abnormal and possibly malicious internal activity
  • To come up with a benchmark for the account lockout threshold policy
  • To ensure compliance with regulatory mandates

Pro Tip:

With in-depth reports, real-time alerts, and graphical displays, ADAudit Plus tracks logon failures, helping you meet your security, operational, and compliance needs with absolute ease.

Event 4625 applies to the following operating systems:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.1
  • Windows 2016 and 10

Corresponding events in Windows 2003 and before: 529, 530, 531, 532, 533, 534, 535, 536, 537 and 539

Explore Active Directory auditing and reporting with ADAudit Plus.

  •  
  •  
  •  
  • By clicking 'Schedule a personalized demo' you agree to processing of personal data according to the Privacy Policy.
Account Management Auditing
Active Directory Auditing
Windows Server Auditing