mfhjek0
Posts: 24
Score: 0
Joined: 14.Jun.2006
Status: offline
|
quote:
4625 In Windows "logon" events are not simply someone entering their id and password. There are any number of actions that Window's bundles under a "logon event". Any resource (mapped drive, e-mail, printer, etc) the user has connected to, periodically triggers authentication which falls under "logon" events. Services could have been setup to use that account id and password to run and scheduled jobs may also be kicking off using that id and pw, all may look like logons depending on the action.
I usually start tracking at that workstation and look at it's security event log, also are any services setup to run on that machine using that person's account, any scheduled jobs using the account? Does the user logoff at the end of the day and is the event occuring during work hours or after? Did the user recently change their password and that is when the errors started?
If the password was recently changed then it is probably a process trying to re-authenticate or verify credentials with the old password. Make sure the person logs off from all their machines and logs back on with the new password. Many people do not logoff, they lock their account or disconnect.
good luck
|
Printable Version
Help with Event ID 4625 - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread