Active Directory

Track the Source of Failed Logon Attempts in Active Directory


If you start getting large number of failed login attempts then it could be an indication of a security thread. Here we will see the steps to troubleshoot this issue.

Step 1: First you have to run gpmc.msc to Configure Group Policy Audit Settings


Step 2: Then you have to edit domain’s Default Domain Policy which is in the Group Policy Management Editor.


Step 3: Now you have to expand computer configuration->Windows Settings->Security Settings -> Local Policies -> Audit Policy and then double-click ‘Audit logon events’.


Step 4: After that in the Audit logon event properties, you have to select the Security Policy Setting tab and select Success.


Step 5: Now open command prompt and then run the command gpupdate/force to update Group Policy.


Step 6: To get in detailed about the failed logon events, filter the Security Event Log for Event ID 4625.

Step 7: Now double-click on the event to see details of the source from where the failed logon attempts were made.


Windows Event ID 4625: An account failed to log on

From security point of view we can say that this is a useful event because it documents each and every failed attempt to logon to the local computer apart from this logon type, location and type of account.

Get in detailed here:

For more information, please refer to the following links:

How to Troubleshoot Account Lockout in Active Directory:

Common Causes for Account Lockouts – Resolution and Troubleshooting Steps:

Leave a Reply

Your email address will not be published. Required fields are marked *