Event ID 4625 logged by msdpm.exe process DPM 2010 RRS feed

  • Question

  • My two DPM 2010 servers are logging Event ID 4625 sporadically and thereby locking out MY user account.

    I installed the two servers but there are no services, etc running under my user account.

    This is a confusing error as it doesn't even happen every time the msdpm.exe process starts.

    Any help in troubleshooting would be appreciated!

    Tuesday, February 21, 2012 7:54 PM

All replies

  • What is the description of event 4625?

    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights

    Tuesday, February 21, 2012 9:04 PM
  • Hi,

    Agree with Wilson, would like to the description of event 4625. But in the meantime could you check in the SQL Server logs if there are any access denied errors?


    Bart Timmermans

    KPN Consulting - Technical Consultant Mark as Answer, if it is answer for your Question. Vote as Helpful, if it is helpful to you.

    Tuesday, February 21, 2012 9:22 PM
  • I would like to note that I am seeing this aswell.  4625 events are bad password/failed authentication, see below.  I have confirmed it is one of my DPM 2010 servers as I can track the 4740 events on the domain controllers and see the server where the lockout is coming from.  Again, no services attached to the username and have not changed the password.  Multiple reboots have been performed. 

    Event 4625 Event Detail:

    An account failed to log on.

    Security ID: SYSTEM
    Account Name: SERVERNAME_MASKED$
    Account Domain: DOMAINNAME_MASKED
    Logon ID: 0x3e7

    Logon Type: 2

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Domain:

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xc000006d
    Sub Status: 0xc000006a

    Process Information:
    Caller Process ID: 0xd00
    Caller Process Name: C:\Program Files\Microsoft DPM\DPM\bin\msdpm.exe

    Network Information:
    Workstation Name: SERVERNAME_MASKED
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    Rob McShinsky (

    VirtuallyAware - Experiences in a Virtual World (Microsoft MVP - Virtual Machine)

    Wednesday, February 22, 2012 5:48 PM
  • I'm also seeing this on our DPM2010.  My credentials are being used by the msdpm.exe process, and subsequent Audit Failure in the security log with event ID 4625.  As mentioned, there are no processes that are running in my user context.
    Tuesday, February 28, 2012 10:55 PM
  • Hi Folks,

    I've worked with a couple of DPM users and the following steps have fixed the issue:

    1. Ensure you are logged out of the primary DPM Server

    2. Remove and Re-install the agent on the Primary DPM Server from the secondary.

    I've been unable to repro this, but I can confirm that this has fixed 2 seperate occurences out in the wild.

    Hope this helps - please mark as so , if it does.

    Wednesday, April 18, 2012 3:01 PM
  • Hi,

    Check this, most likely invalid credentials for the SmtpUserName for notifications.

    The SmtpUserName had Domain\Username and a SmtpPassword entry under the following registry key.
         HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Notification

    Once you delete the SmtpUserName and SmtpPassword entries under the following registry key, the nag events will go away.
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Notification

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, February 14, 2013 12:07 AM
  • Thanks Mike,

    That appears to have done the trick.


    Saturday, February 16, 2013 9:09 PM