Event ID 4625: Server 2016 vs older OS's

Peon

Peon

Expert Member
Joined
Sep 28, 2006
Messages
3,666
Fellas,

Could someone please explain to me why MS Server 2016 displays remote ip or source ip of a failed login attempt but earlier Server versions do not.

You can with Security Policy drop security level from NTLM to User32 but that is risky. But then you can see the IP address of all login attempts.

Ive searched and looked but to the best of my ability I cant understand what Server 2016 does differently.
 
DMNknight

DMNknight

Expert Member
Joined
Oct 17, 2003
Messages
3,385
I cant tell you authoritatively, but from what I understand.

It's an improvement over previous bad logon attempts, but it's more about why the logon attempt rather than who.
Afaik, you used to have to troll netlogon.log in verbose mode to get some of the above information.
 
Peon

Peon

Expert Member
Joined
Sep 28, 2006
Messages
3,666
DMNknight said:
I cant tell you authoritatively, but from what I understand.

It's an improvement over previous bad logon attempts, but it's more about why the logon attempt rather than who.
Afaik, you used to have to troll netlogon.log in verbose mode to get some of the above information.
Click to expand...

I know, you're right. I just wish I could drill down into some specific setting or mechanism. Technet doesnt provide much of an answer either.
 
DMNknight

DMNknight

Expert Member
Joined
Oct 17, 2003
Messages
3,385
Peon said:
I know, you're right. I just wish I could drill down into some specific setting or mechanism. Technet doesnt provide much of an answer either.
Click to expand...

What is it that you are looking for? I have some experience in drilling down deep into where logs go to die :p
 
You must log in or register to reply here.
Top