Share via

Windows server 2016 doesn't log failed logon attempts made by valid users

Filip Kelava 0 Reputation points
2023-05-25T13:48:59.43+00:00

Greetings,

I've run into an issue regarding auditing failed logon attempts for valid users on a Windows Server 2016 running on a VM.

As the title suggests, windows will not log failed logon attempts (wrong password) made by valid users, but it does log non-existing users under event id 4625.

I've tried adjusting both the local and group policies in regards to any "logon" entries, and tried with setting them on both just 'failure' and 'success and failure'. I've also tried forcing policy update with gpupdate /force and restarting the machine multiple times just in case, as well as varying variations of audit policies set to log 'failure'.

The event id's I've filtered by in event viewer are 529,4625,4770,4771,4776.

The machine is in a domain, but I need it to log locally. which only works for invalid users. Other machines in the domain normally log all failed logon attempts with event id 4625.

Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-05-29T07:01:16.94+00:00

    Hello Filip Kelava,

    Thank you for posting in our Q&A forum.

    Based on the description "The machine is in a domain, but I need it to log locally.", you can use a local account on this machine to login to this machine, and try a local user account with wrong password to see if it helps.

    If it does not word, check if you set "Legacy audit policy(Computer Configuration\Windows settings\security settings\local policies\audit policy)" OR “Advanced audit policy(Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration)”

    Please check:

    1.If you have never configured any advanced audit policy before, then you configure the legacy audit policy.

    2.If you have configured any advanced audit policy before, then you have configured the advanced audit policy.

    3.Advanced audit policies will overwrite all legacy audit policies by default.

    4.Did you configure audit policy via local machine or domain wide? If you configure audit policy via domain controller, whether you configure audit policy within "Default Domain Policy"?
    5.If you configure audit policy via domain controller and configure audit policy within "non-Default Domain Policy (a custom GPO)", you should apply this GPO to this machine.

    Hope the information above is helpful. If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.