Solved

Event ID 4625

Posted on 2014-09-23
7
943 Views
Last Modified: 2014-09-30
Researching an error in our Security Event Log.  After reading server blogs, I am still unsure of how to interpret this.

It appears AppsServer.mydomain.com tried to connect to the VPNS-TS$ and failed. Is that correct?
My goal is to find what is causing this event, and make sure it is a legitimate request, and if so correct the login issue.

Any help on trouble shooting this is apprecated.

Here is the Error 4625.  
----------------------
- System

  + Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4625
 
   Version 0
 
   Level 0
 
   Task 12544
 
   Opcode 0
 
   Keywords 0x8010000000000000
 
  - TimeCreated

   [ SystemTime]  2014-09-23T11:58:47.795531900Z
 
   EventRecordID 51157616
 
   Correlation
 
  - Execution

   [ ProcessID]  548
   [ ThreadID]  5968
 
   Channel Security
 
   Computer AppsServer.mydomain.com
 
   Security
 

- EventData

  SubjectUserSid S-1-0-0
  SubjectUserName -
  SubjectDomainName -
  SubjectLogonId 0x0
  TargetUserSid S-1-0-0
  TargetUserName VPNS-TS$
  TargetDomainName MyDomain
  Status 0xc000006d
  FailureReason %%2313
  SubStatus 0xc0000064
  LogonType 3
  LogonProcessName NtLmSsp  
  AuthenticationPackageName NTLM
  WorkstationName VPNS-TS
  TransmittedServices -
  LmPackageName -
  KeyLength 0
  ProcessId 0x0
  ProcessName -
  IpAddress 192.168.100.41
  IpPort 52607
0
Comment
Question by:HCSHAW
  • 4
  • 3
7 Comments
 
LVL 32

Expert Comment

by:it_saige
ID: 40339459
No, this means that the computer VPNS-TS could not connect to the domain.  This computer may or may not be joined to the domain.  Look in Active Directory Users and Computer and see if you can find an entry for VPNS-TS in your Computers OU.  If you cannot, then the computer needs to be rejoined to the domain (if it is supposed to be there).  If it is there, try resetting the account by right-clicking on the entry and choose, Reset Account.

More information:

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

Specifically [0xC00000064] means - user name does not exist.

-saige-
0
 

Author Comment

by:HCSHAW
ID: 40339487
Hmmm.  Thats good to know.   The Serve is in the Active Directory.   If I select RESET ACCOUNT will that have any impact.  The one is question is a Terminal Server.   Don't want to screw up everybodys day.  : )
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40339523
Well resetting the account will break the connection to the domain and the TS server will have to be rejoined to the domain anyway.  Since the TS server is already not connecting, this is a moot point.

As long as there are no additional problems (other than an Event entry).  You can rejoin the TS server after hours.

-saige-
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:HCSHAW
ID: 40339539
That sounds reasonable to me...   We will do it after hours today and monitor to confirm the event message has gone away.

What is the account name that is not found?  is it the VPNS-TS$?   Why the $?   Is this a hidden system account since it has the $ on it ?
0
 
LVL 32

Accepted Solution

by:
it_saige earned 500 total points
ID: 40339593
If you cannot find the account name (which should be VPNS-TS), then you would simply need to go to the TS server and see what it's current Workgroup/Domain membership is.  
If it is a member of a workgroup:
1. Join it to the domain.
2. Reboot.

If it is a member of the domain:
1.  Join it to a workgroup.
2.  Reboot.
3.  Rejoin it to the domain.
4.  Reboot.

The dollar, in this case, does not signify hidden but rather is an identifier.  Accounts that end in '$' are assumed to be machine accounts.

More can be read about Computer Accounts in the Domain here:

http://books.google.com/books?id=eIPA4v0u05EC&pg=PA215&lpg=PA215&dq=why+do+domain+computer+accounts+have+a+dollar&source=bl&ots=gwOUyk0Rcf&sig=8V7xp4pe36-LI_AdK67WUjcFClU&hl=en&sa=X&ei=5ZchVPKkDMW-ggS9gYGYDw&ved=0CDoQ6AEwAw#v=onepage&q=why%20do%20domain%20computer%20accounts%20have%20a%20dollar&f=false

-saige-
0
 

Author Closing Comment

by:HCSHAW
ID: 40339611
Thanks for the tips.
0
 

Author Comment

by:HCSHAW
ID: 40352193
Followup Note:    Following the steps of re-joining to the domain did fix the error.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now