How to detect the root cause of multiple failed logons

Logon Activity
Copy Article URL Copied


Netwrix Auditor for Logon Activity may report a large amount of failed logons from a single workstation or server.


Usually, this happens because the problematic account credentials were saved somewhere on the target machine and became outdated. If a user’s password had been changed but it was not updated in the system or application that had been using it, this systems/application will try to use the stored outdated credentials, therefore generating a large amount of failed logons.


Login to the originating machine and check the following systems for outdated credentials:

  • Windows –°redential Manager – may store outdated credentials.
  • Windows task scheduler – there could be a task configured to run using the problematic account.
  • Application or service – there could be a service that is trying to start or a tool/application that is trying to run using outdated credentials.
  • Terminal Server session – there could be an opened session with outdated credentials.
  • AD Federation Services – replication issues – a new password was not replicated to ADFS.
  • DCOM objects – sometimes a computer requires a restart after changing user password – to apply setting to DCOM objects that are using these credentials.

Enter valid account credentials.

Go Up