Avatar of vernaldrich
Flag for United States of America

asked on 

Failed Logons hammering Workgroup file server (Win 10)

I need to know a process for isolating the source (process or application) that is generating thousands of failed logons (Event ID 4625) per minute on a win 10 workgroup file server.  Within 10 - 30 minutes of logging onto a win 10 workstation, the account used by the logged on user's profile to logon to the workgroup file server starts generating failed logons ( see details of Event 4624 at end ). The fails don't start immediately. There are 2 network drives mapped to the file server using the same credentials and both work perfectly.  Office 365 is installed using online Exchange. I've reinstalled Office365, remapped her network drives, and deleted stale credentials from the workstation, nothing seems to help.  I moved her to a laptop and installed office365 there, mapped the drives, and the errors have stopped. Does anyone have a clear process for isolating the source of these errors?

      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:           renee aldrich
      Account Domain:            RENEE-PC

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xC000006D
      Sub Status:            0xC000006A

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      RENEE-PC
      Source Network Address:
      Source Port:            50414

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
Microsoft OfficeExchangeMicrosoft 365NetworkingSecurity

Avatar of undefined
Last Comment

8/22/2022 - Mon