Link to home
Start Free TrialLog in
Avatar of T T
T TFlag for Saudi Arabia

asked on

Event (4625) on exchange after change the password

Dears,


We have an issue after change the password of the administrator@company.com account 


we receive a lot of events on exchange event ID (4625) failed access and we want to solve this issue but we can't


some details of the event :  

logon Type: 8

Account Name: end with $

Caller Process Name :C:\windowssystem32\inetsrv\w3wp.exe

Logon Process : Advapi

ASKER CERTIFIED SOLUTION
Avatar of Robert
Robert
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of T T

ASKER

I didn’t find anything from Owa and Ews
Hi,

what is the version of Exchange ?

Exchange does not use anymore service accounts in its configuration (since a lot of time/version).
It is only the computer/Exchange server that receives permissions in AD to work.

It seems that your server could be under attack, or an external progress/program is trying to connect (Backup ?)

https://community.spiceworks.com/topic/310255-multiple-audit-failures-event-id-4625-logon-type-8-svchost

Could you verify the names that are trying to connect?  Names ending by $ should be computers!

Verify also that your Exchange server still belongs to Exchange server groups.
Avatar of T T

ASKER

Yes i found one folder on iis related to ticketing system using the credential of administrator account