Active Directory User Logon Reports
A list of Active Directory User Logon Reports included in the Entralyzer application.
Reports located at Audit > Active Directory > User Logon Reports
| Event ID | Report Name | Description |
|---|---|---|
| 4624 | All Logons | Successful account logon |
| 4625 | All Logons | Failed account logon attempt |
| 4648 | All Logons | A logon was attempted using explicit credentials |
| 4624 | Successful Logons | Successful account logon |
| 4625 | Failed Logons | Failed account logon attempt |
| 4624 | Domain Controller Logons | Successful account logon |
| 4625 | Domain Controller Logons | Failed account logon attempt |
| 4648 | Domain Controller Logons | A logon was attempted using explicit credentials |
| 4624 | Service Account Logons | Successful account logon (Type 4 and 5) |
| 4625 | Service Account Logons | Failed account logons (Type 4 and 5) |
| 4634 | User Logoff | An account was logged off |
| 4647 | User Logoff | A user initiated a logoff |
| 4624 | Daily Logon Summary | Daily summary of successful logons |
| 4625 | Daily Logon Summary | Daily summary of failed logons |
| 4624 | Monthly Logon Summary | Monthly summary of successful logons |
| 4625 | Monthly Logon Summary | Monthly summary of failed logons |
| 4648 | Logon using explicit credentials | A logon was attempted using explicit credentials |
4625: An account failed to logon
Section titled “4625: An account failed to logon”Failure codes and reason:
| Sub Status Code | Failure Reason |
|---|---|
| 0xC0000064 | User name does not exist |
| 0xC000006A | Bad password |
| 0xC0000234 | User is currently locked out |
| 0xC0000072 | Account is currently disabled |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
| 0xC0000193 | User logon with expired account |
| 0xC0000071 | Expired password |
| 0xC0000133 | Clocks between DC and other computer too far out of sync |
| 0xC0000224 | User is required to change password at next logon |
| 0xC000015b | The user has not been granted the requested logon type (aka logon right) at this machine |
4624: An account was successfully logged on
Section titled “4624: An account was successfully logged on”List of logon types. This is important information as it tells you how the user logged on:
| Logon Type | Logon Description |
|---|---|
| System (0) | Used only by the System account, for example at system startup. |
| Interactive (2) | Logon on directly to a computer |
| Network (3) | Accessing network resource such as shared folder |
| Batch (4) | Scheduled task or batch job |
| Service (5) | Service or process logon |
| Unlock (7) | This workstation was unlocked |
| NetworkCleartext (8) | Network logon with cleartext credentials |
| NewCredentials (9) | A caller cloned its current token and specified new credentials for outbound connections |
| RemoteInteractive (10) | Remote Desktop logon |
| CachedInteractive (11) | Logon with cached credentials |
| CachedRemoteInteractive (12) | Same as RemoteInteractive. This type is used for internal auditing. |
| CachedUnlock (13) | Workstation logon |