Event ID 4822 — NTLM authentication failed because the account was a member of the Protected User group.
Description
NTLM authentication failed because the account was a member of the Protected User group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | — |
Device_Name UnicodeString | — |
Error_Code HexInt32 | — |
AccountName UnicodeString | Account Name |
DeviceName UnicodeString | Device Name |
Status HexInt32 | Error Code NTSTATUS reference |
Community Notes #
NTLM authentication was blocked because the account is a member of the Protected Users group. Protected Users cannot authenticate via NTLM.
The Status field is an NTSTATUS code:
| Code | Name | Description |
|---|---|---|
| 0xC000006D | STATUS_LOGON_FAILURE | Generic failure |
| 0xC000006E | STATUS_ACCOUNT_RESTRICTION | Protected User restriction prevented NTLM |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4822