Event ID 8003 — NTLM server blocked in the domain audit: Audit NTLM authentication in this domain.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: AuditingNTLM

Description

NTLM server blocked in the domain audit: Audit NTLM authentication in this domain.

Message #

NTLM server blocked in the domain audit: Audit NTLM authentication in this domain
User: %1
Domain: %2
Workstation: %3
PID: %4
Process: %5
Logon type: %6
InProc: %7
Mechanism: %8

Audit NTLM authentication requests within this domain that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to Deny for domain servers or Deny domain accounts to domain servers.

If you want to allow NTLM authentication requests in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain to use NTLM authentication.

Fields #

Name	Description
`UserName` UnicodeString	—
`DomainName` UnicodeString	—
`Workstation` UnicodeString	—
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`LogonType` UInt32	— Logon type reference
`InProc` Boolean	—
`MechanismOID` UnicodeString	—
`User` UnicodeString	—
`Domain` UnicodeString	—
`PID` UInt32	—
`Process` UnicodeString	—
`Logon_type` UInt32	— Logon type reference
`Mechanism` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NTLM",
    "guid": "AC43300D-5FCC-4800-8E99-1BD3F85F0320",
    "event_source_name": "",
    "event_id": 8003,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-09T00:55:20.842728+00:00",
    "event_record_id": 957,
    "correlation": {
      "ActivityID": "4F958266-269A-4D65-B9BD-F5FA499B7442"
    },
    "execution": {
      "process_id": 764,
      "thread_id": 3132
    },
    "channel": "Microsoft-Windows-NTLM/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "UserName": "domainuser",
    "DomainName": "LUDUS",
    "Workstation": "(NULL)",
    "CallerPID": 764,
    "ProcessName": "C:\\Windows\\System32\\lsass.exe",
    "LogonType": 3,
    "InProc": true,
    "MechanismOID": "(NULL)"
  },
  "message": ""
}

Community Notes #

Appearing prior to 4624/4776 may indicate unsuccessful coercion probes.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)