Windows AD troubleshooting guide
Windows Event ID 4625 in access troubleshooting
Windows Event ID 4625 records failed logon attempts. In access troubleshooting, it can point to bad credentials, stale cached credentials, NTLM fallback, or application/service account problems.
Common symptoms
- User sees repeated credential prompts.
- Application logs show failed Windows authentication.
- Domain controller records Event ID 4625.
Evidence to collect
- Event ID 4625 details including logon type, account, workstation, source address, status, and substatus.
- Application authentication logs at the same timestamp.
- Recent password change or account lockout context.
Common causes
- Incorrect password or stale cached credentials.
- User recently changed password and old credentials are still being used.
- Application or service is submitting old credentials.
How to fix or triage it
- Correlate Event ID 4625 with user action and source workstation.
- Review status and substatus codes.
- Clear cached credentials where appropriate.
How AccessTrace AI helps
- Detects Event ID 4625 and common Windows status codes.
- Connects failed logon evidence with AD, Kerberos, and authorization context.
- Generates a practical triage summary for support and IAM teams.
Example evidence
Event ID: 4625 Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Authentication Package: NTLM
Turn messy access evidence into a report
Paste sanitized SSO, directory, certificate, or access-policy evidence into AccessTrace AI and generate findings, remediation steps, vendor questions, and ticket-ready language.
Start with the free plan