Link to home
Start Free TrialLog in
Avatar of dreamer123456
dreamer123456Flag for United States of America

asked on

Domain server error, event 4625

I just started working on this network. I see the error below few times an hour on domain server. The IP below 192.168.0.xx is ip of domain server.

Any help will be appreciated.

An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            administrator
      Account Domain:            DOMAIN

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xC000006D
      Sub Status:            0xC000006A

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      NEXPOSE
      Source Network Address:      192.168.0.xx
      Source Port:            49752

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
Avatar of Von Anderson
Von Anderson
More than likely the workstation (listed in Workstation Name: NEXPOSE) is doing a pass through authentication on an account named administrator.  An example of what could be happening would be user on another system is attempt to access a share on NEXPOSE using the administrator credential.  Kerberos authentication fails so NEXPOSE attempts to validate using NTLM.  It sends a request to the domain controller to validate the user (administrator).  The domain  also has an administrator account and the passwords don't match.

This can also happen if you are using a script to access machines using the local administrator account for the credential.  If the target workstaion is in the domain it will attempt to validate authentication against the domain.  The Domain administrator password is not the same  as that of the local workstation password generating the failed logon attempt

Other potential causes, Service accounts, scheduled tasks and  mapped drives that are using administrator as the credential
ASKER CERTIFIED SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial