Event ID 4625 – An account failed to log on
This event is logged on when user failed attempt to logon to the local computer. It is generated on the computer where logon attempt was made.4625 event is very useful because it monitor each and every failed attempt to logon to the local computer regardless of logon type, location of the user or type of account.
| Operating Systems | Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022 |
| Category • Subcategory | Logon/Logoff • Logon |
| Type | Failure |
| Corresponding events in Windows 2003 and before | 529 , 530 , 531 , 532 , 533 , 534 , 535 , 536 , 537 , 539 |
Description Fields in 4625
Subject:
indicates the account that initiated the login request, NOT the user that just attempted to log on. Subject is typically Null or one of the Service principles, and it contains information that is rarely helpful. To find out who just logged on to the system, see New Logon.
- Security ID
- Account Name
- Account Domain
- Logon ID
Logon Type:
This is important information since it shows HOW the user just signed on: For a list of login type codes, see 4624.
Account For Which Logon Failed:
This identifies the user that attempted to logon and failed.
- Security ID: The account’s SID that initiated the login attempt. If a valid account could not be found, such as when the supplied username does not match a valid account login name, the SID will be blank or NULL.
- The login name for the account that was used in the logon attempt.
- Account Domain: The computer name or, for local accounts, the domain.
Failure Information:
The section explains why the logon failed.
- Failure Reason: The account name of the user who attempted to log in is shown in this section.
- Status and Sub Status: Hexadecimal codes that describe the cause of the login failure. Sub Status is sometimes filled in and sometimes it is not. The codes that we have found are listed below.
| Status and Sub Status Codes | Description (not checked against “Failure Reason:”) |
| 0xC0000064 | user name does not exist |
| 0xC000006A | user name is correct but the password is wrong |
| 0xC0000234 | user is currently locked out |
| 0xC0000072 | account is currently disabled |
| 0xC000006F | user tried to logon outside his day of week or time of day restrictions |
| 0xC0000070 | workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller) |
| 0xC0000193 | account expiration |
| 0xC0000071 | expired password |
| 0xC0000133 | clocks between DC and other computer too far out of sync |
| 0xC0000224 | user is required to change password at next logon |
| 0xC0000225 | evidently a bug in Windows and not a risk |
| 0xc000015b | The user has not been granted the requested logon type (aka logon right) at this machine |
So, that’s all in this blog. I will meet you soon with some other stuff. Have a nice day !!!
Recommended content
RODC Installation Guide- Step by step guide to install read only domain controller
RODC Filtered Attribute Set
Installing and configuring a RODC in Windows Server-2012
How to find the GUID of Domain Controller
Understanding Group Policy Preferences
Group Policy Verification Tool GPOTool Exe
Group Policy Health Check on Specific Domain Controller
Netlogon Folder in Active Directory
Custom Attributes in Active Directory
Tombstone Lifetime of My Active Directory Forest
Computers AD Site From the Command Line
Active Directory Database Integrity
Disabling and Enabling the Outbound Replication
DFS Replication Service Stopped Replication
Strict Replication Consistency
The replication operation failed because of a schema mismatch between the servers involved
Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers
Replication information in txt file
Repadmin Replsummary
Enabling the outbound replication
Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .
You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.
