Overview

Domain servers monitored by LanGuard show failed logins (EventID 4625) in the Windows Event logs. GFI LanGuard server is not part of the monitored domain and failed login attempts indicate the local account on the GFI Languard server, which is not used for communication with Agents. This article provides information on how to address the issue.

Information

Microsoft Windows writes the event with EventID 4625 to Windows Event logs when a logon request fails. The event is generated on the computer where access was attempted, and the Logon Type field indicates the kind of logon that was requested. 

When LanGuard is not a part of the monitored domain, ie in a multi-domain or mixed environment, it is expected to see the failed login event of Logon Type 3 (network) for the LanGuard operations.

In such environments, you would have the alternative credentials configured for the target machines. LanGuard will attempt first to login with the account running the GFI LanGuard Attendant service or the logged-in user (depending on the operation), and then the alternative credentials specified for the activity will be used. This is described in more detail in our Best Practices for Setting up Account Permissions with Alternative Credentials in LanGuard.

If you see the EventID 4625 of Logon Type 2 (interactive), this is not the result of LanGuard operations and has to be investigated by your security team.