none
Account lockout event id and failed logins RRS feed

  • Question

  • Hi all,

    I am trying to work out where events such as 4625 and 4740 are generated? Is 4625 generated on member clients and servers as well as domain controllers?

    4740 account lockout, is that just on the PDC? or also on member clients and servers?

    Wednesday, September 19, 2018 7:21 PM

Answers

  • Hi,

    I am glad to hear that you clear your confusion. Could you please mark it answer if my answer is helpful for your which will help to other community members when they encounter the same issue. 

    If anything else i could do for you, please feel free to let me know.

    Best regards

    Julie 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 26, 2018 3:18 AM
    Moderator

All replies

  • Hi,

    You can find these events in the Security log of the Domain Controller (if audit policy is enabled) that the user was connected to when he/she got locked out.

    There's a handy tool called LockoutStatus.exe that you can use to enter the username of the user who got locked out and then it will show you at which time it got locked out and on which Domain Controller.

    Download the tool from here:
    https://www.microsoft.com/en-us/download/details.aspx?id=18465

    Here's also a decent guide on how to track down user logons when they get locked out:
    https://4sysops.com/archives/active-directory-auditing-track-user-logons/

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:


    • Edited by Leon Laude Thursday, September 20, 2018 7:22 AM
    Wednesday, September 19, 2018 7:48 PM

  • Hi,

    Thank you for posting in our forum.

    According to my test and knowledge, the Event 4625 generates on the computer where logon attempt was made, for example,. if logon attempt was made on user’s workstation, then event will be logged on this workstation. If we log on DC and servers which will generate on Dc and severs. But on condition that the audit policy on logon/off policy need to be configured.

    For more details, we could refer to the following link:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

    For Event 4740, as for domain user, it generates on PDC only.  As for non domain user, it generates on the PC the user logon.

    The more details, please refer to the following link:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740

    Gentle reminder: The Event Viewer need to be run as administrator.

    Hope my information could help you.

    Best regards

    Julie



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 20, 2018 6:29 AM
    Moderator
  • Hi,

     

    Just want to confirm the current situations.

     

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Julie 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 25, 2018 9:49 AM
    Moderator
  • Hi Julie,

    I believe I have it sorted now. went through https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations and then I chose to use WEF to get the logs centralised for certain events on an admin server. 

    Regards

    Ronnie

    Tuesday, September 25, 2018 11:06 AM
  • Hi,

    I am glad to hear that you clear your confusion. Could you please mark it answer if my answer is helpful for your which will help to other community members when they encounter the same issue. 

    If anything else i could do for you, please feel free to let me know.

    Best regards

    Julie 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 26, 2018 3:18 AM
    Moderator