Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to find the reason for failed logon attempts

Auditing logon events is one of the most important tasks for administrators. They tend to miss significant logon events such as a failed logon attempt by unauthorized users due to alert fatigue. To spot malicious intrusions, it is essential to analyze the reason behind the failed logon attempts and ascertain if the attempt was a legitimate one or otherwise.

This article elaborates the ways of finding the logon failure reason using native AD tools and ManageEngine ADAudit Plus, a real-time AD auditing solution.

Download for FREE
Free, fully functional 30-day trial

  • With Native AD Auditing

  • With ADAudit Plus

ADAudit Plus has a simple and straightforward method to get the reason behind logon failures.

You need to enable auditing for the logon events for ADAudit Plus to capture and analyze those events. Check out the first step of the previous section.

Once you enable auditing, follow the below steps to get reports on logon failures using ADAudit Plus

  • Login to ADAudit Plus web console.

  • Click on the Reports tab, navigate to User Logon Reports and select Logon Failures. verify-logon-failure-account-currently-disabled-4

  • This report helps administrators verify the reason for the logon failure. Based on the reason, the administrator can decide whether it is a potential security threat or not.

    ADAudit Plus can generate clear, user-friendly reports for all the important events in the domain and also has a real-time alert feature which alerts the admins in case of any unanticipated activity. Explore other capabilities of ADAudit Plus here.

Here is how you can find the reason for failed logon attempts in native AD.

  • Step 1: Enable 'Audit Logon Events' policy

  • Open 'Server Manager' on your Windows server.

  • Under the 'Manage' tab, select 'Group Policy Management' to view the 'Group Policy Management Console'.

  • Navigate to Forest>Domain>Your Domain>Domain Controllers.

  • Either create a new group policy object or you can edit an existing GPO.

  • In the group policy editor, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.

  • In Audit policies, select 'Audit logon events' and enable it for 'Failure'.

    verify-logon-failure-account-currently-disabled-1
  • Step 2: Use Event Viewer to find the reason for the logon failure

    Once Audit Policy is enabled, the Event Viewer records those events against their respective event IDs. Look for event ID 4625 that denotes a failed logon attempt.

    verify-logon-failure-account-currently-disabled-2

    Run a filter for event ID 4625 to get a list of all the failed logon attempts recorded in the Event Viewer. Right-click on the relevant event and select Event Properties. Scroll down the General information of the event to verify the reason for the failed logon.

    verify-logon-failure-account-currently-disabled-3

    You will have to repeat this process multiple times to ascertain the reason for each failed logon attempts.

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request 1-on-1 demo

  •  
  •  
  •  
  •  
  •  
  • -Select-
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.

Thanks

One of our solution experts will get in touch with you shortly.

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote
Email Download Link