Which audit policy do I need to configure in order to see event ID 4625 for invalid logon events.

Question

As far as I know I followed Microsoft document, but it is not helping. Microsoft should provide an easy to follow document showing which audit policy needs to be turned on in order to see event ID 4625 under security logs on domain controller.

Please see the thread I've got going on on: https://www.reddit.com/r/activedirectory/comments/1aijnan/how_to_enable_audit_policy_for_invalid_logon/

On this thread I have documented what I have tried so far, but still not able to see event ID 4625 on domain controller.

Actually posting data from above thread here as well:

Per https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events tried enabling, but no good:

Audit account logon events Success, Failure

Audit logon events Success, Failure

I tried following policies, but no good:

Advanced Audit Configuration:

Logon/Logoff Audit Logon Success, Failure > No

Audit Credential Validation Success, Failure > N

Audit User Account Management Success, Failure > N

N = It did not work for me.

What audit policy I need to configure in order to see event ID 4625 for failed logon events?

My environment and what I tried so far:

I am working on DC with Windows Server 2022, which is PDC:

C:\Users\Administrator>netdom query fsmo

Schema master DC1.homelab.local

Domain naming master DC1.homelab.local

PDC DC1.homelab.local

RID pool manager DC1.homelab.local

Infrastructure master DC1.homelab.local

The command completed successfully.

Please advise. Thanks in advance!

gpupdate /force gets applied successfully.

I ran gpupdate /force on domain joined workstation successfully.

I rebooted workstation multiple times.

Steps taken on DC1:

Enabled "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings."

C:\Users\Administrator>AuditPol /get /category:* |findstr /i "Success"

Logon Success and Failure

Account Lockout Success and Failure

User Account Management Success and Failure

Credential Validation Success and Failure

C:\Users\Administrator>hostname

DC1

C:\Users\Administrator>gpupdate /force

Updating policy...

Computer Policy update has completed successfully.

User Policy update has completed successfully.

C:\Users\Administrator>

Steps taken on workstation:

C:\Windows\system32>hostname
WIN10ENTEVA1
C:\Windows\system32>gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.

Result: Still no event ID 4625 😕

It's the default domain group policy. So group policy is linked to domain. Looking for event ID 4625 in security logs on domain controller.

Answer 1

Hello jackin,

Thank you for posting on the Microsoft Community Forum.

Do you want to see event ID 4625 on DC or domain machines?

You should configure the audit policy on DCs if you want to see event ID 4625 on DCs or configure the audit policy on Domain machines if you want to see event ID 4625 on Domain machines.

Legacy audit policy:

Computer Configuration\Windows settings\security settings\local policies\audit policy

Audit Logon Events – Failure

Or use advanced audit policies (advanced audit policies will overwrite all legacy audit policies by default): Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration\Logon/Logoff:

Audit Account Lockout – Success and Failure

Audit Logon – Success and Failure

4625(F) An account failed to log on. - Windows Security | Microsoft Learn

Note:

1.If you have never configured any advanced audit policy before, then you can configure the legacy audit policy.

2.If you have configured any advanced audit policy before, then you need to configure the advanced audit policy.

3.Once you configured any one advanced audit policies, then all legacy audit policies will be overwritten by default.

Can you see the 4625 event on the computer that failed to log in? 4625 events will only be logged if you fail to log in.

Reference link: Event ID 4625 not being logged in Security Logs | Microsoft Learn.

I hope you the information above is helpful.

If you have any questions or concerns, please do not hesitate to let us know.

Best Regards,

Daisy Zhou

Answer 2

@Daisy Zhou123

To answer your questions:

1. Do you want to see event ID 4625 on DC or domain machines? Yes
2. Can you see the 4625 event on the computer that failed to log in? Yes
3. Following audit policies are configured on domain controller:

Still I don't see event ID 4625 on the domain controller. I have to be missing something in configuration. As both on DC and workstation gpupdate /force command successfully. And I have rebooted both domain controller and workstation as well. Any further advice to further troubleshoot this?

Answer 3

Hello jackin,

Good day! Thank you for your reply.

You have configured Advanced audit policy.

It doesn't appear that the audit account lockout policy is configured under the advanced audit policy from your image you provided.

By auditing account lockouts, you can audit security events that are generated due to failed attempts to log in to a locked account.

If you configure this policy setting, an audit event is generated when an account is unable to log on to the computer because the account is locked.

Once the configuration is complete, use the "gpupdate /force" command on the DC to force the Group Policy to be updated.

At last, you need to try to logon one Domain Controller with incorrect password, then check if there is any event ID 4625 on one Domain Controller.

I hope you the information above is helpful.

If you have any questions or concerns, please do not hesitate to let us know.

Best Regards,

Daisy Zhou

Answer 4

Still not getting event ID 4625. I will post the screenshots as soon as I get chance. Wish Microsoft had a clear-cut article how to enable audit policy to get event ID 4625 :(

Per your suggestion I also enabled audit account lockout policy under the advanced audit policy, but to no avail. I don't why it is so difficult to get event ID 4625 😢