none
EventID 4625 - Failure Audits / Logon Failure / SBSMonAcct@domain.local RRS feed

  • Question

  • Hello There,

    Lately we receive many failure audits on our clients servers with event id 4625 (bad username or password). This event is generated for the user account SBSMonAcct@domain.local. As far as I know and Google told me this account is used for gathering events from the available servers. Things we have tried to resolve the issue:

    • Disabled the account to see if events are still generated (Events are still generated whilst disabled)
    • Renamed the account (Events are still generated)

    There is a re-occurrence pattern in the generation of the errors, every half an hour a few events are generated. Here under you'll find the generated event. Is there anybody how could help me explain this error and how we can resolve the failure audit to occur every half an hour. If you need any information, please let me know!

    Thanks in advance!

    Onderwerp:

                   Beveiligings-id:                    NULL SID

                   Accountnaam:                     -

                   Accountdomein:                 -

                   Aanmeldings-id:                  0x0

     

    Aanmeldingstype:                                              3

     

    Account waarvoor het aanmelden is mislukt:

                   Beveiligings-id:                    NULL SID

                   Accountnaam:                     SBSMonAcct@beusichem.local

                   Accountdomein:                

     

    Gegevens over mislukte bewerking:

                   Reden van mislukken:                        Onbekende gebruikersnaam of ongeldig wachtwoord.

                   Status:                                   0xc000006d

                   Substatus:                             0xc000006a

     

    Procesgegevens:

                   Proces-id van aanroeper:   0x0

                   Procesnaam van aanroeper:              -

     

    Netwerkgegevens:

                   Naam van werkstation:       SBS2008

                   Netwerkadres van bron:     192.168.95.4

                   Poort van bron:                    6704 




    I have not failed. I've just found 10,000 ways that won't work.
    Friday, May 27, 2011 7:52 AM

Answers

  • Check that there is no service / application running using this account on the mentioned workstation. It is possible that a service / application is using this account with a wrong password.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

    Friday, May 27, 2011 3:23 PM

All replies

  • Check that there is no service / application running using this account on the mentioned workstation. It is possible that a service / application is using this account with a wrong password.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

    Friday, May 27, 2011 3:23 PM
  • Hello Joey,

     

    I recently got the same error on a new installed network.
    Sit you solve this issue and if so, what was your solution?

    Thanx in advance,

     

    Lando

    Tuesday, November 15, 2011 2:38 PM
  • I'd like to revive this post.  I am running SBS2011 with all applicable updates.  This account, SBSMonAcct, is constantly throwing audit fails.  The account is disabled, has been since the beginning, and I see a whole lot in my audits that enable this account, change the membership, etc. but it continues to fail the logon process due to bad password, so much in fact it keeps getting locked out of the system.

    No services use this account and the account access is initiated only on my SBS, no other server.

    How do I fix this or suppress it if it is innocuous as some other research has indicated?

    To make a note, this account was created about 2 weeks after go-live with the new SBS.

    Thursday, January 19, 2012 8:45 PM
  • I too have a similar issue with this account in an SBS2011 network. One client PC in that network  has multipe (ca. 370) failed logins from this account into the client.

    This is a default SBS2011 account and we didn't change any passwords etc (or this error would be on all the other workstations too). Why the account can not log into a domain computer anymore; i dont know....

    What is this account used for? My research shows me that this account is used to monitor the clients (reporting)?

    Is there a sollution out there?


    • Edited by BR0KK Tuesday, July 23, 2019 7:36 AM
    Monday, July 22, 2019 9:51 AM