Cannot generate Account Logon Events (Event ID 4624) in Security Event Log on Server 2008 R2 Domain Controller

Similar Messages

• Cannot open database " " requested by the login. The login failed. SQL Server 2008 Express

  I am getting this message when I try to create a path to a work file from my application.
  Cannot open database " " requested by the login.  The login failed. 
  SQL Server 2008 is installed.  I have placed the computer name and instance in the application's config file as connection source. 
  The database is also not showing up in SQl Server Management Studio in list of databases.
  Thanks.

  Hello,
  Can you please confirm login exist in the sql server and its mapped to particular database.
  Are you directly connecting to SSMS?
  Or using any 4 part query?
  Please share how you are accessing the DB and screen hots of error messages.
  Thank You.
  Regards, Pradyothana DP. Please Mark This As Answer if it solved your issue. Please Mark This As Helpful if it helps to solve your issue. ========================================================== http://www.dbainhouse.blogspot.in/

• Cannot generate accounting doc when creating billing doc

  When creating billing doc, no accounting document is generated, the posting status is "Error in accounting interface". I have checked and there is no problem in account determination. Does anyone get idea on this problem? Thanks!

  Check the account determination in Transaction Code VKOA.
  If the data is not maitained to determine G/L, in that case it gives error. Once you maintain the relevant data in VKOA, next go to billing document in change mode VF02 & release the same to accounting.
  Regards,
  Rajesh Banka
  Reward points if helpful.

• Windows 2008 R2 Domain Controller, Tracking of helpdesk staff invloved in unlock account, password reset

  Dear All,
  We recently gave permissions to group of level 1 staff to unlock OR reset password of users. In case user calls and report his account is locked OR if his password expires.
  I want to track by auditing just in case something goes wrong, I can check in auditing. I have created a new GPO and select success/failure for Computer Config > Windows Settings > Security Settings > Local Policies > Audit Policy "Audi
  Account Management"
  applied it on domain top level and I did not changed settings of 'default Domain Policy' which is also linked on top level of domain.
  But after applying this I am unable to see any event 4724 of password re-set when I attempted to test this GPO. What else is required to be done in order to trace users in group 'level1' if they change any body password.
  Please assist.
  thank you

  Hello,
  Total two DC's in our environment. But now I figured out and it is working now. It was supposed to set in Advanced audit policy > User account management, I enabled it for success and failure and my newly created GPO is applied on domian top in addition
  to default domain policy.
  I am able to see unlock events, password change events in my security log. So, it is working.
  Thank you,
  Wajeeh

• No event logs when RAID fails in Server 2008 and R2

  From what I'm finding out (by web searching) they forgot to include event logging in Server 2008 for when a Windows software RAID fails in some way such as missing disk, failed redundancy, etc. This is REALLY annoying as I was trying to setup email notifications
  for when this happens so I can fix it. I'm just using this on my servers at home, so I'm not big on the idea of spending a lot of money on a hardware RAID, it just does some simple network file sharing and streaming and software RAID is fine. Is there anyway
  to get this to work properly, like it used to?! Hotfix? Sacrifice a small animal? Free third-party tools that would work if nothing else? Would a MOM server be able to notify me? (been considering setting up one of those and SCCM to mess with)

  Thanks guys for chiming in. The only way Microsoft will know this is a big deal (you would think they would, but apparently not), is for people to complain. I found this out myself when I was trying to set up event triggered tasks to email on low disk space
  and RAID failure, only to find no events are created on RAID failures!
  I have setup a SCOM 2007 R2 server in my testing environment. It registers and alerts me for low disk space just fine, but the availability monitor is not tripped when I break a RAID volume. I have tried offlining a disk, which results in failed redundancy,
  and also shutting down the VM and removing a drive, and neither seems to trip an alert. Do I have to do something to get it to monitor correctly?

• What event id identifies what user installed windows patches? win 2008 r2.

  what security event id identifies what user who logged on and installed windows patches? this is for a 2008 r2 domain controller.
  User used big fix to install windows security updates.
  dsk

   
  Hi,
  As far as I know, there is no such event log that records who installed a security update. The Windows Update client records all transaction
  information to the following log file: %windir%\Windowsupdate.log. For more information, please refer to:
  How to read the Windowsupdate.log file
  http://support.microsoft.com/kb/902093/en-us
  Regards,
  Bruce

• Local user account is trying to autenticating against domain controller

  Hi all.  I am seeing a weird user logon issue on one of my laptop and on another user's PC.  Both of the laptop and the PC is a member of our domain.  However, on this particular laptop and PC, we are not login with a domain user account,
  rather we've created a local user account, grant it the local admin access, and login with this local user account.  Now, on my domain controller, I am seeing a bunch of account login failure message, which happens few times per minute and filling up
  the domain controller security log.  For the laptop, this is a clean build, with fresh Windows 7 installation, alone with MS Office 2010 and few third party application (eg: Adobe Reader, 7-ZIP, etc).  I've checked all group policy to ensure there
  are no service or connection that requires domain credential access that have applied to this laptop (or the PC).  I am not sure why this local user is trying to authenticating to our domain controller.  This user account doesn't exist in our domain. 
  The only thing I can think of is Microsoft Outlook 2010 might doing back ground authentication against the domain controller by using the current login user account, I just can't confirm this.  Did anyone encountered this issue in their environment? 
  Thank you.
  Below is a copy of the event.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          13/06/2014 8:56:27 AM
  Event ID:      4625
  Task Category: Logon
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      domaincontroller.mydomain.local
  Description:
  An account failed to log on.
  Subject:
      Security ID:        NULL SID
      Account Name:        -
      Account Domain:        -
      Logon ID:        0x0
  Logon Type:            3
  Account For Which Logon Failed:
      Security ID:        NULL SID
      Account Name:        dummy
      Account Domain:        l-sparet400sc
  Failure Information:
      Failure Reason:        Unknown user name or bad password.
      Status:            0xc000006d
      Sub Status:        0xc0000064
  Process Information:
      Caller Process ID:    0x0
      Caller Process Name:    -
  Network Information:
      Workstation Name:    L-SPARET400SC
      Source Network Address:    192.168.2.181
      Source Port:        60720
  Detailed Authentication Information:
      Logon Process:        NtLmSsp
      Authentication Package:    NTLM
      Transited Services:    -
      Package Name (NTLM only):    -
      Key Length:        0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4625</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12544</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2014-06-13T12:56:27.263546000Z" />
      <EventRecordID>299829083</EventRecordID>
      <Correlation />
      <Execution ProcessID="488" ThreadID="640" />
      <Channel>Security</Channel>
      <Computer>domaincontroller.mydomain.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SubjectUserSid">S-1-0-0</Data>
      <Data Name="SubjectUserName">-</Data>
      <Data Name="SubjectDomainName">-</Data>
      <Data Name="SubjectLogonId">0x0</Data>
      <Data Name="TargetUserSid">S-1-0-0</Data>
      <Data Name="TargetUserName">dummy</Data>
      <Data Name="TargetDomainName">l-sparet400sc</Data>
      <Data Name="Status">0xc000006d</Data>
      <Data Name="FailureReason">%%2313</Data>
      <Data Name="SubStatus">0xc0000064</Data>
      <Data Name="LogonType">3</Data>
      <Data Name="LogonProcessName">NtLmSsp </Data>
      <Data Name="AuthenticationPackageName">NTLM</Data>
      <Data Name="WorkstationName">L-SPARET400SC</Data>
      <Data Name="TransmittedServices">-</Data>
      <Data Name="LmPackageName">-</Data>
      <Data Name="KeyLength">0</Data>
      <Data Name="ProcessId">0x0</Data>
      <Data Name="ProcessName">-</Data>
      <Data Name="IpAddress">192.168.2.181</Data>
      <Data Name="IpPort">60720</Data>
    </EventData>
  </Event>

  its the service which is using the account info and authenticating against the DC to obtain service ticket and fails
  Interesting log section is NULL SID which doesn't corresponds to any account name.
  Security ID:        NULL SID
      Account Name:        -
      Account Domain:        -
      Logon ID:        0x0
  and the below section explains , the request is made over network, which is most of the times by the service
  Detailed Authentication Information:
      Logon Process:        NtLmSsp
      Authentication Package:    NTLM
      Transited Services:    -
      Package Name (NTLM only):    -
      Key Length:        0
  The below is assumed to be performed on a client which does not run mission critical production applications which has zero impact when you perform the below actions,
  can you disable
  a) Server service
  b) Workstation service
  c) Disable RPC dependent service and services which depend on RPC and test
  Question:
  What is the level of DC hardening you have in your environment ?

• Unable to log onto domain controller with user account

  Hi,
  I am able to log onto my DC as domain admin. I cannot log on as myself. I do not see what I am missing in the GPO to make this happen? I am part of a server admin group and would like the server admin group to be able to log on to the domain controller to
  maintain the server. 
  Any suggestions?
  Wave~Chaser

  Log on to this DC and run rsop.msc and check the following policies:
  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally
  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally
  Add your self to Allow log on locally
  (in default domain controller policy - as I mentioned above) and make sure your user account not belong to any group that have Deny log on locally.
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• Is it possible to restrict a local admin from accessing/viewing AD accounts on a Domain Controller?

  I am working on determining if I can have a separate administrator group handle patching and performing maintenance on four servers that are DCs of their own AD domain, but restrict these administrators from the ability to see the active directory user
  accounts in that AD domain?

  Hello,
  Since you are talking about domain controllers I have to say there are no Power Users group in them. Actually the local user management will be disabled as soon as you promote a server to a domain controller. The only option which is left here is to grant
  Administrators handle the job. In case of RODC you can go through what Albert suggested.
  However since domain controllers are sensitive and plays a key role in your environment I strongly recommend not to allow non administrators to perform maintanance or other related tasks (At least for domain controllers). 
  Another option you have left for your patch management is to use a member server like WSUS to automatically install updates on your DCs.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Hyper-V Guest Cannot Find Host Domain Controller 2012 R2

  Poweredge T320 server as a Domain Controller,  file server and an EXCHANGE 2010 server. There are no other servers at the site. 
  DHCP is from the firewall.   The DC and the file server will be on the host. 
  The 2010 EXCHANGE server will be on the guest.  The Hyper-V 
  2012 R2 server cannot see the Domain Controller on the host 2012 R2 server. 
  The Active Directory is requesting to be promoted to a Domain Controller.  
  I have a logical or physical error in the installation. 
  It is asking to promote the  Hyper-V guest 2012 R2 to a Domain Controller. 
  I believe I should have only one  Domain Controller in this application.  
  After the Hyper-V guest can see the host domain controller I will install EXCHANGE 2010.
  This is a test environment, offsite.
  NIC1 – Host IP:192.168.1.130, 255.255.255.0, Gateway:192.168.1.1, DNS:127.0.0.1
  NIC2- Only Hyper-V switch checked
  Virtual Switch: 192.168.1.140, 255.255.255.0, Gateway: Blank, DNS: Was 127.0.0.1 didn’t work so I pointed it to the host, 192.168.1.130, but that didn’t work either.
  Host adapter: IP:192.168.1.150, 255.255.255.0, 192.168.1.1, DNS Pointing to HOST:162.168.1.130
  Active Directory and DNS installed on the guest.
  Removed IPv6 from both NICs without any change.
  IPAM is not installed on the host or the guest.
  Several articles in Internet search didn’t help.
  Thanks for your help.

  Hi Steve,
  I suggest referring to the following links:
  REMOTEFX, WINDOWS SERVER & HYPER-V SERVER
  http://blogs.technet.com/b/puneetvig/archive/2011/04/21/remotefx-windows-server-amp-hyper-v-server.aspx
  RemoteFX (with Hyper-V) is a serious business tool. For games.
  http://blogs.technet.com/b/tristank/archive/2012/02/17/remotefx-with-hyper-v-is-a-serious-business-tool-for-games.aspx
  Best Regards,
  Vincent Wu
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Security Events Shows A New User Account Setup By Accessing my Network with a Profile

  Can you tell me, please, if this is the result of a hack?
  Mine is the 1st ID and Name. 
  Subject:
  Security ID: GATEWAY\Angela
  Account Name: Angela
  Account Domain: GATEWAY
  Logon ID: 0x2CBED
  Additional Information:
  Caller Workstation: GATEWAY
  Target Account Name: Administrator
  Target Account Domain: GATEWAY"
  Audit Success 2/5/2014 12:49:45 AM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
  Subject:
  Security ID: SYSTEM
  Account Name: SYSTEM
  Account Domain: NT AUTHORITY
  Logon ID: 0x3E7
  Privileges: SeAssignPrimaryTokenPrivilege
  SeTcbPrivilege
  SeSecurityPrivilege
  SeTakeOwnershipPrivilege
  SeLoadDriverPrivilege
  SeBackupPrivilege
  SeRestorePrivilege
  SeDebugPrivilege
  SeAuditPrivilege
  SeSystemEnvironmentPrivilege
  SeImpersonatePrivilege"
  Audit Success 2/5/2014 12:49:45 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
  Subject:
  Security ID: SYSTEM
  Account Name: GATEWAY$
  Account Domain: WORKGROUP
  Logon ID: 0x3E7
  Logon Type: 5
  Impersonation Level: Impersonation
  New Logon:
  Security ID: SYSTEM
  Account Name: SYSTEM
  Account Domain: NT AUTHORITY
  Logon ID: 0x3E7
  Logon GUID: {00000000-0000-0000-0000-000000000000}
  Process Information:
  Process ID: 0x250
  Process Name: C:\Windows\System32\services.exe
  Network Information:
  Workstation Name:
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: Advapi  
  Authentication Package: Negotiate
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  I also suddenly have a 'switch user' on my windows logon screen, have files appearing and disappearing, see someone logging in with a temp profile, then a manual
  profile, then an automatic profile (created from the profile examples given), logons between midnight and 2am, User Profiles Service 3, 4, 1, 5, 67, 5 and 2 over a 5 minute period at 1:10am on 2/3, etc.
  I need to load my husbands PC (I reloaded mine and the problem continued, and need to know how to protect him from this, if necessary.
  How do I proceed?

  Hi,
  Gnerally speaking, the events you list above just sytem service or application need to use system resource, then Event Viewer would record their activity. You can use Filter(filter event ID, such as 4624) to check, you will find plenty of events like new
  account logon.
  About your another question, you can access to User Managment to check your sytem current user, if there is any other new user has been created.
  Win+X, choose Computer Managment, Local Users and Groups
  Roger Lu
  TechNet Community Support

• Windows Active Session logon state security event viewer

  Hi Team,
  i have question.
  i already enable audit logging policy from GPO, especially logon logoff audit.
  at server event viewer show (security/audit success) display log off and log on event id. 4634 for logoff and 4624 for logon
  my question are :
  1. Why event viewer always show computer name at account name information? event viewer 4624 logon
  can i get the user name info from this event id 4624 logon
  2. At event id 4634 logoff, security id and account name info always show computer name account
  can i get user name too?
  3.  what if the active user log on user never log off ( I mean user only disconnect from RDP session ).
  can i get info from security event viewer whose user that being active remote to server?
  Thanks
  Regards :)

  There should be both a computer and a user authentication since both so log onto the domain.
  Even though a user may never log off of a machine they still need to establisj a session with other machines for services.  After the intial logon the Kerberos TGT session ticket may be good for the next week (7 days by default) the logs should
  still show all newly established sessions.  You may need to review all DC's within the site of the user not just one DC, since any DC within the site could be providing the service.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Group MSA account fail when Domain Controller in Test Domain Fails to start KdsSvc. Event ID 7023

  Yesterday, in my test domain, I created the KDS root key using the Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
  command on a DC that is not the PDC Emulator because it was the server I was on at the time.  Today, when I tried to create gMSA accounts on the PDC emulator, I get:
  Event ID 7023 The Microsoft Key Distribution Service terminated with the following error: An Exception occurred in the service when handling the control request
  I turned on logging on to the KdsSvc and get 2 other errors:
  KdsSvc Event ID 4001: Group Key Distribution Service failed to start. Status 0x80070020
  KdsSvc Event ID 4007: Group Key Distribution Service cannot connect to the domain controller on local host.  Status 0x80070020.  Group Key Distribution Service cannot be started because of the error.  Please contact the administrator to resolve
  the issue.
  I took the opportunity to clean up AD, the Schema, and DNS, but the kds errors continues.  I am replicating successfully, DNS changes are reflected immediately, and when I run the get-KDSRootKey on the failing server, the key is returned.  The
  Get-KdsConfiguration matches the KDS config on the DC that originally ran to create the key.
  I have a pretty strict GPO pushed to my DCs but I am still able to create gMSAs on the other server.  I checked ADS&S and found the msKds-ProvRootKey so I know it is at the domain level, but there is so little documentation on the KdsSvc that I
  am not sure if it is working as planned.  I have tried unassigning several GPO configuration items but I am throwing darts at this point.  I have also uninstalled McAfee AV; IDS/IPS; Firewall.
  With that said, I have questions:
  Will gMSAs still work even though the domain pdc emulator cannot start the service?
  Is the KdsSvc supposed to start only on the server Add-KDSRootKey was originally created?
  What happens if the server the KdsSvc key was created fails and has to be removed from the domain?
  Is there any books or configuration items I can review to learn the KdsSvc better?
  Env:
  Windows Standard Server 2012 R2 x64
  Active Directory 2012 R2 Schema Updated from Windows 2008 R2
  All FSMO roles are on the PDC Emulator which is a Windows 2012 R2 DC
  DCDiag returns no errors or test failures
  Repadmin returns clean results (/showreps & /replsum)
  Windows 2008 R2 Root CA hierarchy (not DCs)
  W32tm services are running with less than 6/10's of a ms difference among the domain.

  Hi,
  For Windows Server 2012, the Windows PowerShell cmdlets default to managing the group Managed Service Accounts instead of the original standalone Managed
  Service Accounts.
  New-ADServiceAccount -name <ServiceAccountName> -DNSHostName <fqdn> -PrincipalsAllowedToRetrieveManagedPassword <group>
  -ServicePrincipalNames <SPN1,SPN2,…>
  Did you use the command abouve?
  Here is a good bolg:
  Windows Server 2012: Group Managed Service Accounts
  http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
  Hope this helps.

• Account locked out events are not getting in active directory security event logs

  Account locked out events are not getting in active directory security event logs for some users. I can see that the user is locked and when i tried to find out the event in sec log at DC but couldnt able to find. It is only happening for some users.
  not for the all users.

  In addition.
  Check the ADDS Audit.
  Active Directory Services Audit - Document references
  Regards~Biswajit
  Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
  MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
  MY BLOG
  Domain Controllers inventory-Quest Powershell
  Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
  Generate a Report for installed Hotfix for Bulk Servers

• My calendar will no longer let me add new event or delete them, it comes up with an error saying "cannot save event, no end date set" or "event does not belong to that event store". can anyone help with this?

  my calendar will no longer let me add new event or delete them, it comes up with an error saying "cannot save event, no end date set" or "event does not belong to that event store". can anyone help with this?

  Hi,
  To configure your ODBC DataSource, go to Control Panel ---> DataSources(ODBC) (If you are in a Windows environment).
  Select the tab System DSN. If you have not added your data source, then do so by clicking on the Add button. If you have added the datasource, click on the Configure button to configure it.
  Give the datasource name, then the database name.
  You have to give the hostname, service name and server name. I guess, in most cases, the datasource name and host name will be the same, service name and server name will be the same. If you are using TCP/IP, the protocol will be onsoctcp.
  There will be a file named Services under C:\WINNT\system32\drivers\etc where you have to give the port number for accessing this server.
  It will be like this <service name> <portnumber>/tcp
  Hope this helps...
  best wishes,
  Nish