Event ID 4625

Researching an error in our Security Event Log.  After reading server blogs, I am still unsure of how to interpret this.

It appears AppsServer.mydomain.com tried to connect to the VPNS-TS$ and failed. Is that correct?
My goal is to find what is causing this event, and make sure it is a legitimate request, and if so correct the login issue.

Any help on trouble shooting this is apprecated.

Here is the Error 4625.  
----------------------
- System

  + Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4625
 
   Version 0
 
   Level 0
 
   Task 12544
 
   Opcode 0
 
   Keywords 0x8010000000000000
 
  - TimeCreated

   [ SystemTime]  2014-09-23T11:58:47.795531900Z
 
   EventRecordID 51157616
 
   Correlation
 
  - Execution

   [ ProcessID]  548
   [ ThreadID]  5968
 
   Channel Security
 
   Computer AppsServer.mydomain.com
 
   Security
 

- EventData

  SubjectUserSid S-1-0-0
  SubjectUserName -
  SubjectDomainName -
  SubjectLogonId 0x0
  TargetUserSid S-1-0-0
  TargetUserName VPNS-TS$
  TargetDomainName MyDomain
  Status 0xc000006d
  FailureReason %%2313
  SubStatus 0xc0000064
  LogonType 3
  LogonProcessName NtLmSsp  
  AuthenticationPackageName NTLM
  WorkstationName VPNS-TS
  TransmittedServices -
  LmPackageName -
  KeyLength 0
  ProcessId 0x0
  ProcessName -
  IpAddress 192.168.100.41
  IpPort 52607
HCSHAWAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
it_saigeConnect With a Mentor DeveloperCommented:
If you cannot find the account name (which should be VPNS-TS), then you would simply need to go to the TS server and see what it's current Workgroup/Domain membership is.  
If it is a member of a workgroup:
1. Join it to the domain.
2. Reboot.

If it is a member of the domain:
1.  Join it to a workgroup.
2.  Reboot.
3.  Rejoin it to the domain.
4.  Reboot.

The dollar, in this case, does not signify hidden but rather is an identifier.  Accounts that end in '$' are assumed to be machine accounts.

More can be read about Computer Accounts in the Domain here:

http://books.google.com/books?id=eIPA4v0u05EC&pg=PA215&lpg=PA215&dq=why+do+domain+computer+accounts+have+a+dollar&source=bl&ots=gwOUyk0Rcf&sig=8V7xp4pe36-LI_AdK67WUjcFClU&hl=en&sa=X&ei=5ZchVPKkDMW-ggS9gYGYDw&ved=0CDoQ6AEwAw#v=onepage&q=why%20do%20domain%20computer%20accounts%20have%20a%20dollar&f=false

-saige-
0
 
it_saigeDeveloperCommented:
No, this means that the computer VPNS-TS could not connect to the domain.  This computer may or may not be joined to the domain.  Look in Active Directory Users and Computer and see if you can find an entry for VPNS-TS in your Computers OU.  If you cannot, then the computer needs to be rejoined to the domain (if it is supposed to be there).  If it is there, try resetting the account by right-clicking on the entry and choose, Reset Account.

More information:

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

Specifically [0xC00000064] means - user name does not exist.

-saige-
0
 
HCSHAWAuthor Commented:
Hmmm.  Thats good to know.   The Serve is in the Active Directory.   If I select RESET ACCOUNT will that have any impact.  The one is question is a Terminal Server.   Don't want to screw up everybodys day.  : )
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
it_saigeDeveloperCommented:
Well resetting the account will break the connection to the domain and the TS server will have to be rejoined to the domain anyway.  Since the TS server is already not connecting, this is a moot point.

As long as there are no additional problems (other than an Event entry).  You can rejoin the TS server after hours.

-saige-
0
 
HCSHAWAuthor Commented:
That sounds reasonable to me...   We will do it after hours today and monitor to confirm the event message has gone away.

What is the account name that is not found?  is it the VPNS-TS$?   Why the $?   Is this a hidden system account since it has the $ on it ?
0
 
HCSHAWAuthor Commented:
Thanks for the tips.
0
 
HCSHAWAuthor Commented:
Followup Note:    Following the steps of re-joining to the domain did fix the error.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.