Event ID 4625 – An Account Failed To Log On
Event ID | 4625 |
Category | Logon/Logoff |
Sub-Category | Audit Logon; Audit Account Lockout |
Type | Failure Audit |
Description | An account failed to log on. |
Event 4625 is generated when a user fails to logon. The hexadecimal status and sub-status codes generated when the event is registered provide information on why the logon failure occurred.
Codes | Failure reason |
0xC0000064 | User logon with misspelled or bad user account |
0xC000006A | User logon with misspelled or bad password |
0xC0000234 | User logon with locked account |
0xC0000072 | User logon to account disabled by admin |
0xC000006F | User logon outside authorized hours |
0xC0000070 | User logon from an unauthorized workstation |
0xC0000193 | User logon with expired account |
0xC0000071 | User logon with expired password |
0xC0000133 | Clocks between DC and other computer too far out of sync |
0xC0000224 | User is required to change password at next logon |
0xC0000225 | Evidently a bug in Windows and not a risk |
0xc000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
This log data provides the following information:
- Security ID
- Account Name
- Account Domain
- Logon ID
Why does event ID 4625 need to be monitored?
- To detect brute-force, dictionary, and other password guess attacks
- To detect abnormal and possibly malicious internal activity
- To come up with a benchmark for the account lockout threshold policy
- To ensure compliance with regulatory mandates
Pro Tip:
With in-depth reports, real-time alerts, and graphical displays, ADAudit Plus tracks logon failures, helping you meet your security, operational, and compliance needs with absolute ease.
Event 4625 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10
Corresponding events in Windows 2003 and before: 529, 530, 531, 532, 533, 534, 535, 536, 537 and 539
Explore Active Directory auditing and reporting with ADAudit Plus.
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools