Share via

Getting multiple Event of 4625 on my Domain controller. what changes should i do in GPO to eliminate this event without effecting my Production environment.

Akash Gupta 0 Reputation points
2023-03-11T10:43:57.28+00:00 
 SubjectUserSid S-1-0-0 
  SubjectUserName - 
  SubjectDomainName - 
  SubjectLogonId 0x0 
  TargetUserSid S-1-0-0 
  TargetUserName bob 
  TargetDomainName D6CCHT12 
  Status 0xc000006d 
  FailureReason %%2313 
  SubStatus 0xc0000064 
  LogonType 3 
  LogonProcessName NtLmSsp  
  AuthenticationPackageName NTLM 
  WorkstationName D6CCHT12 
  TransmittedServices - 
  LmPackageName - 
  KeyLength 0 
  ProcessId 0x0 
  ProcessName - 
  IpAddress 10.162.2.152 
  IpPort 52652
Windows for business | Windows Server | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Zeeshan Nasir Bajwa 656 Reputation points Student Ambassador
    2023-03-14T08:59:46.0466667+00:00

    Hi Akash,

    Event ID 4625 on a domain controller indicates that an authentication attempt has failed. Based on the information you have provided, it appears that the failure is related to a logon attempt using NTLM authentication, which is an outdated authentication protocol that has been replaced by Kerberos.

    To eliminate this event without affecting your production environment, you can disable NTLM authentication on your domain controllers using Group Policy. Here's how:

    1. Open the Group Policy Management Console (GPMC) on your domain controller.
    2. Create a new Group Policy Object (GPO) and give it a descriptive name.
    3. Edit the GPO and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
    4. Locate the "Network security: Restrict NTLM: Incoming NTLM traffic" policy and set it to "Deny All".
    5. Locate the "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy and set it to "Deny All".

    These settings will prevent NTLM authentication from being used on your domain controller, which should eliminate the Event ID 4625 errors you are seeing. Note that this may break compatibility with some older applications that rely on NTLM authentication, so you should thoroughly test this configuration in a non-production environment before applying it to your production environment.

    1 person found this answer helpful.
    0 comments
  2. Limitless Technology 44,766 Reputation points
    2023-03-14T08:15:02.7733333+00:00

    Hello

    Thank you for your question and reaching out. I can understand you are having query\issues related to Events 4625 on DC.

    This event is logged for any logon failure. here Logon Type= 3 means that PC is trying to connect to shared resources (folders and printers)

    It generates on the computer where logon attempt was made, for example, if logon attempt was made on user's workstation, then event will be logged on this workstation.

    Please check if there are any mapped folders or shared drives or Task Scheduler on that workstation using old credentials

    Reference:

    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.