Logon Event id 4625 Type 3 Logged in ConfigMgr Security Logs

Question

Good morning!

Recently we were scrutinizing the security logs and have discovered some strange security events logged on our DCs security logs.

The Event ID 4625 with Logon Type 3 relates to failed logon attempts via network.

These logons was on other machines that are SCCM (Config Manager) Clients. The logs does indicate the user logon names as well as the machines it took place. However, I must say that the actual logons was legit, meaning user used the correct login name and even correct password but on SCCM Security Logs it registered a failed login attempt with the Event ID 4625 and Logon Type 3. For info, there are no shared resources mapped to these machines. However, If it was an administrator of SCCM that logon to that machine, no logs will be registered.

Is anyone aware of such behavior in SCCM?

Thank you and best regards.
Ronald

127229-error-4625.txt

Answer 1

Hi, @Ronald Seow
Thank you for posting in Microsoft Q&A forum.

I checked the event id 4625 from the documentation, it says this event generates on domain controllers, member servers, and workstations.

And do you mean it only registered a failed login attempt with the Event ID 4625 and Logon Type 3 on SCCM Security Logs, but registered a successful login on that device and DC? It's really strange, it looks like have something to do with SCCM but the behavior seems unreasonable.

You may try to send a frown from SCCM console about this issue:
In the upper right corner of the console, select the smiley face icon. Then select "Send a frown".

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.