This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 57.99999999999999%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
I have one user that has over 2000 Event errors below this week and I am totally lost on what it possibly could be. I checked credential manager and that was completely clean. Looked through all the Services and nothing odd in there at all. Also checked his programs and processes and everything looked normal. Whatever it is tried to hit any of our domain controllers but it never locks his account out. Only one user from one laptop. Thought it was super strange and thought I should figure it out.
Thank you in advance for the help!
Event Type
UserLogonFailure
EventInfo
Logon Failure "Had user name here"
DetectionIP
(Domain Controller was here)
ToolAlias
Windows Security
ProviderSID
Microsoft-Windows-Security-Auditing 4625
LogonProcess
NtLmSsp
InsertionTime
2020-12-11 11:27:21
Manager
swi-sem
DetectionTime
2020-12-11 11:27:19
ExtraneousInfo
SourcePort: 63706; Call-ProcessName: -;
DestinationAccount
jsayersmith
DestinationMachine
(Domain Controller was here)
AuthPackage
NTLM
FailureCount
1
DestinationDomain
TCORP
LogonType
Windows: Network
Severity
4
SourceLogonID
0x0
FailureReason
Unknown user name or bad password.
InsertionIP
(Domain Controller was here)
ManagerTime
2020-12-11 11:27:21
SourceMachine
10.215.10.3
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 73%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESQ%3C/text%3E%3C/svg%3E)
Hi @KuchJ ,
Greeting! Hope everything is fine with you.
After discussing with our Active Directory Domain Service engineer, we think tracing and monitoring should be necessary if the account is in Active Directory and still an active user.
You can capture network traffics by Network Monitor when the issue reproduced on problematic device . Please download the “Network Monitor” as below link in advance and install as Administrator on problematic node and :
https://www.microsoft.com/en-sg/download/details.aspx?id=4865
However, Please understand analysis of network traffic is beyond our forum support level. So I would suggest you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.
You may find phone number for your region accordingly from the link below:
Global Customer Service phone numbers
Best Regards,
Sunny
----------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @KuchJ ,
Thanks for posting in Q&A platform.
Based on provided info, as a workaround I would suggest to perform NTLM policy control to completely prevent LM response. Please refer to the detailed steps as below:
Firstly, please locate to Local Security Policy-->Local Policy-->Security Options-->Network security: LAN Manager authentication level-->set to Send NTLMv2 response only
And then please locate to Local Security Policy-->Local Policy-->Security Options-->Network security: Restrict NTLM: Incoming NTLM traffic-->set to Deny all accounts
Best Regards,
Sunny
----------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you Sunny. I will get on that system and give that a shot. That seems like a sure fire fix and I really appreciate it. I will let you know the results as soon as I get on. Thank you!
Thanks for your feedback. Will wait for your good news!
Finally was able to connect on his laptop and try that out around 10:30. Looks like it is still going which i am surprised. Not sure what might be doing it. It is a super clean system but obviously something is trying to do something. Here is a picture of it. Thank you again for trying to help me. 
![49228-image.png][2]
Hi,
Thanks for your feedback.
May I know if there is related Event logs in Event viewer when the issue occurred? If yes, please provide screenshot for further troubleshooting.
Best Regards,
Sunny
Hello Sunny,
Still amazes me his account doesn't lock out at all but this is the only error his account and it is random on one of the three domain controllers. Here are the event logs from the main domain controller. Thank you again for your help!
Hi @KuchJ ,
Thank you very much for your feedback.
The result code 0X6 of Event 4768 means "The username doesn’t exist." Please kindly check if the account jsayersmith was existed in ADUC. Or may I know whether this account was a service account?
Best Regards,
Sunny
Greetings Sunny,
The account is in Active Directory and still an active user. Odd that that the error is for a user doesn't exist but he can login to the VPN and Office 365 with zero issues. Never locks out or anything and triple check his credential manager again and super clean. Had to get that one strange issue I guess. :P
I will give that a shot with the Network Monitor tool. Thank you for all your help. Really appreciate it big time. :)
You're welcome! Happy holiday~
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 32%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EU7%3C/text%3E%3C/svg%3E)
Hello @KuchJ ,
Did you identified the root cause of this issue? what was it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 44%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELV%3C/text%3E%3C/svg%3E)
I am also curious to see if anyone found a resolution for this as I have those exact security settings in our domain per NIST requirements and I am seeing the same thing for a local admin account on newly created workstations that are added to our domain.