![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 92%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEJ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 9%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWL%3C/text%3E%3C/svg%3E)
Hello
According to a discussion on GitHub, Windows Server 2012 and below do not record IP and Port details for NTLM logins in Event 4625. This issue has been fixed in Windows Server 2016. Unfortunately, I couldn’t find any specific patches for Windows Server 2012 and below to address this issue.
However, you might be able to get more detailed logs by enabling certain debug flags. For example, you can use the nltest command to enable more detailed logging for the NetLogon service. Here’s how you can do it:
Open the Run dialog (Win + R), type in: nltest /dbflag:2080ffff, and press OK.
Restart the NetLogon service. The related activity may be logged to %windir%/debug/netlogon.log.
Once you’re done with the debugging, don’t forget to disable it by opening the Run dialog again, typing in: nltest /dbflag:0, and pressing OK.
Please note that these steps should be performed by an IT professional or under their guidance, as they involve changes that could affect your system’s operation.