Microsoft-Windows-Security-Netlogon

31 events across 2 channels

Event ID	Title	Channel
4004	Domain Controller Blocked: NTLM authentication to this domain controller is …	Operational
4005	Domain Controller Blocked: NTLM authentication to this domain controller is …	Operational
4006	Domain Controller Blocked: NTLM authentication to this domain controller is …	Operational
4030		Operational
4030	The DC %1 processed a network NTLM authentication involving an account from this …	Operational
4031		Operational
4031	The DC %1 processed a network NTLM authentication involving an account from this …	Operational
4032		Operational
4032	The DC %1 processed a forwarded NTLM authentication request originating from …	Operational
4033		Operational
4033	The DC %1 processed a forwarded NTLM authentication request originating from …	Operational
8004	Domain Controller Blocked Audit: Audit NTLM authentication to this domain …	Operational
8005	Domain Controller Blocked Audit: Audit NTLM authentication to this domain …	Operational
8006	Domain Controller Blocked Audit: Audit NTLM authentication to this domain …	Operational
9000	Netlogon failed to retrieve the password for account %1 in domain %2.	Operational
9001	The account %1 cannot be used as managed service account on the local machine …	Operational
9002	Netlogon failed to add %1 as a managed service account to this local machine.	Operational
9003	Netlogon failed to remove the managed service account %1 from this local …	Operational
9004	A total of %1 DC locator queries were rejected since the last reported event …	Operational
9005	Secure channel setup has failed with Kerberos.	Operational
9006	Secure channel setup has failed.	Operational
9007	Netlogon is currently configured to allow mailslot messages to be used when …	Operational
9008	Netlogon is currently configured to listen for mailslot messages sent by clients …	Operational
9009	Netlogon was unable to find the domain name '.	Operational
9010	Netlogon discovered a DC using the Netbios protocol.	Operational
9011	Netlogon successfully downloaded the latest administrator-configured domain name …	Operational
9012	Netlogon failed to download the latest administrator-configured domain name …	Operational
9013	Netlogon successfully downloaded the latest trusted-domain-based domain name …	Operational
9014	Netlogon failed to download the latest trusted-domain-based domain name …	Operational
9015	Netlogon denied an RPC call.	Operational
9016	Netlogon allowed an RPC call that normally would have been denied.	Operational

Event ID 4004 — Domain Controller Blocked: NTLM authentication to this domain controller is blocked.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Domain Controller Blocked: NTLM authentication to this domain controller is blocked.
Secure Channel name: %1
User name: %2
Domain name: %3
Workstation name: %4
Secure Channel type: %5

NTLM authentication within the domain %3 is blocked.

If you want to allow NTLM authentication requests in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests only to specific servers in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain as an exception to use NTLM authentication.

Fields

Name	Description
`Secure_Channel_name`	—
`User_name`	—
`Domain_name`	—
`Workstation_name`	—
`Secure_Channel_type`	—
`SChannelName`	—
`UserName`	—
`DomainName`	—
`WorkstationName`	—
`SChannelType`	—

Event ID 4005 — Domain Controller Blocked: NTLM authentication to this domain controller is blocked.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Domain Controller Blocked: NTLM authentication to this domain controller is blocked.
Secure Channel name: %1
User name: %2
Domain name: %3
Workstation name: %4
Secure Channel type: %5

NTLM authentication within the domain %3 is blocked.

If you want to allow NTLM authentication requests in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests only to specific servers in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain as an exception to use NTLM authentication.

Fields

Name	Description
`Secure_Channel_name`	—
`User_name`	—
`Domain_name`	—
`Workstation_name`	—
`Secure_Channel_type`	—
`SChannelName`	—
`UserName`	—
`DomainName`	—
`WorkstationName`	—
`SChannelType`	—

Event ID 4006 — Domain Controller Blocked: NTLM authentication to this domain controller is blocked.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Domain Controller Blocked: NTLM authentication to this domain controller is blocked.
Secure Channel name: %1
User name: %2
Domain name: %3
Workstation name: %4
Secure Channel type: %5

NTLM authentication within the domain %3 is blocked.

If you want to allow NTLM authentication requests in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests only to specific servers in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain as an exception to use NTLM authentication.

Fields

Name	Description
`Secure_Channel_name`	—
`User_name`	—
`Domain_name`	—
`Workstation_name`	—
`Secure_Channel_type`	—
`SChannelName`	—
`UserName`	—
`DomainName`	—
`WorkstationName`	—
`SChannelType`	—

Event ID 4030 —

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Fields

Name	Description
`DCName`	—
`AccountName`	—
`AccountDomain`	—
`AccountMachine`	—
`ServerName`	—
`ServerDomain`	—
`ForwarderType`	—
`ForwarderName`	—
`ForwarderDomain`	—
`ForwarderIP`	—
`NtlmVersion`	—
`ServiceBinding`	—
`TargetMachine`	—
`TargetDomain`	—
`MicStatus`	—
`AvFlags`	—
`AvFlagsStr`	—
`Status`	—
`StatusMsg`	—

Event ID 4030 — The DC %1 processed a network NTLM authentication involving an account from this domain.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

The DC %1 processed a network NTLM authentication involving an account from this domain.

Client Information:
	Client Name: %2
	Client Domain: %3
	Client Machine: %4

Server Information:
	Server Name: %5
	Server Domain: %6

Forwarded From:
	Secure Channel Type: %7
	Farside Name: %8
	Farside Domain: %9
	Farside IP: %10

NTLM Security:
	NTLM Version: %11
	Service Binding: %12
	Target Machine: %13
	Target Domain: %14
	Mic Status: %15
	Flags values: %16
	Flags: %17

Status: %18

For more information, see aka.ms/ntlmlogandblock

Fields

Name	Description
`DCName`	—
`AccountName`	—
`AccountDomain`	—
`AccountMachine`	—
`ServerName`	—
`ServerDomain`	—
`ForwarderType`	—
`ForwarderName`	—
`ForwarderDomain`	—
`ForwarderIP`	—
`NtlmVersion`	—
`ServiceBinding`	—
`TargetMachine`	—
`TargetDomain`	—
`MicStatus`	—
`AvFlags`	—
`AvFlagsStr`	—
`Status`	—
`StatusMsg`	—

Event ID 4031 —

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Fields

Name	Description
`DCName`	—
`AccountName`	—
`AccountDomain`	—
`AccountMachine`	—
`ServerName`	—
`ServerDomain`	—
`ForwarderType`	—
`ForwarderName`	—
`ForwarderDomain`	—
`ForwarderIP`	—
`NtlmVersion`	—
`ServiceBinding`	—
`TargetMachine`	—
`TargetDomain`	—
`MicStatus`	—
`AvFlags`	—
`AvFlagsStr`	—
`Status`	—
`StatusMsg`	—

Event ID 4031 — The DC %1 processed a network NTLM authentication involving an account from this domain.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

The DC %1 processed a network NTLM authentication involving an account from this domain.

Client Information:
	Client Name: %2
	Client Domain: %3
	Client Machine: %4

Server Information:
	Server Name: %5
	Server Domain: %6

Forwarded From:
	Secure Channel Type: %7
	Farside Name: %8
	Farside Domain: %9
	Farside IP: %10

NTLM Security:
	NTLM Version: %11
	Service Binding: %12
	Target Machine: %13
	Target Domain: %14
	Mic Status: %15
	Flags values: %16
	Flags: %17

Status: %18

For more information, see aka.ms/ntlmlogandblock

Fields

Name	Description
`DCName`	—
`AccountName`	—
`AccountDomain`	—
`AccountMachine`	—
`ServerName`	—
`ServerDomain`	—
`ForwarderType`	—
`ForwarderName`	—
`ForwarderDomain`	—
`ForwarderIP`	—
`NtlmVersion`	—
`ServiceBinding`	—
`TargetMachine`	—
`TargetDomain`	—
`MicStatus`	—
`AvFlags`	—
`AvFlagsStr`	—
`Status`	—
`StatusMsg`	—

Event ID 4032 —

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Fields

Name	Description
`DCName`	—
`AccountName`	—
`AccountDomain`	—
`AccountMachine`	—
`ServerName`	—
`ServerDomain`	—
`ServerIP`	—
`ServerOS`	—
`NtlmVersion`	—
`ServiceBinding`	—
`TargetMachine`	—
`TargetDomain`	—
`MicStatus`	—
`AvFlags`	—
`AvFlagsStr`	—
`Status`	—
`StatusMsg`	—

Event ID 4032 — The DC %1 processed a forwarded NTLM authentication request originating from this domain.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

The DC %1 processed a forwarded NTLM authentication request originating from this domain.

Client Information:
	Client Name: %2
	Client Domain: %3
	Client Machine: %4

Server Information:
	Server Name: %5
	Server Domain: %6
	Server IP: %7
	Server OS: %8

NTLM Security:
	NTLM Version: %9
	Service Binding: %10
	Target Machine: %11
	Target Domain: %12
	Mic Status: %13
	Flags values: %14
	Flags: %15

Status: %16
Status Message: %17

For more information, see aka.ms/ntlmlogandblock

Fields

Name	Description
`DCName`	—
`AccountName`	—
`AccountDomain`	—
`AccountMachine`	—
`ServerName`	—
`ServerDomain`	—
`ServerIP`	—
`ServerOS`	—
`NtlmVersion`	—
`ServiceBinding`	—
`TargetMachine`	—
`TargetDomain`	—
`MicStatus`	—
`AvFlags`	—
`AvFlagsStr`	—
`Status`	—
`StatusMsg`	—

Event ID 4033 —

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Fields

Name	Description
`DCName`	—
`AccountName`	—
`AccountDomain`	—
`AccountMachine`	—
`ServerName`	—
`ServerDomain`	—
`ServerIP`	—
`ServerOS`	—
`NtlmVersion`	—
`ServiceBinding`	—
`TargetMachine`	—
`TargetDomain`	—
`MicStatus`	—
`AvFlags`	—
`AvFlagsStr`	—
`Status`	—
`StatusMsg`	—

Event ID 4033 — The DC %1 processed a forwarded NTLM authentication request originating from this domain.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

The DC %1 processed a forwarded NTLM authentication request originating from this domain.

Client Information:
	Client Name: %2
	Client Domain: %3
	Client Machine: %4

Server Information:
	Server Name: %5
	Server Domain: %6
	Server IP: %7
	Server OS: %8

NTLM Security:
	NTLM Version: %9
	Service Binding: %10
	Target Machine: %11
	Target Domain: %12
	Mic Status: %13
	Flags values: %14
	Flags: %15

Status: %16
Status Message: %17

For more information, see aka.ms/ntlmlogandblock

Fields

Name	Description
`DCName`	—
`AccountName`	—
`AccountDomain`	—
`AccountMachine`	—
`ServerName`	—
`ServerDomain`	—
`ServerIP`	—
`ServerOS`	—
`NtlmVersion`	—
`ServiceBinding`	—
`TargetMachine`	—
`TargetDomain`	—
`MicStatus`	—
`AvFlags`	—
`AvFlagsStr`	—
`Status`	—
`StatusMsg`	—

Event ID 8004 — Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: %1
User name: %2
Domain name: %3
Workstation name: %4
Secure Channel type: %5

Audit NTLM authentication requests within the domain %3 that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.

If you want to allow NTLM authentication requests in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain %3 to which clients are allowed to use NTLM authentication.

Fields

Name	Description
`Secure_Channel_name`	—
`User_name`	—
`Domain_name`	—
`Workstation_name`	—
`Secure_Channel_type`	—
`SChannelName`	—
`UserName`	—
`DomainName`	—
`WorkstationName`	—
`SChannelType`	—

Event ID 8005 — Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: %1
User name: %2
Domain name: %3
Workstation name: %4
Secure Channel type: %5

Audit NTLM authentication requests within the domain %3 that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.

If you want to allow NTLM authentication requests in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain %3 to which clients are allowed to use NTLM authentication.

Fields

Name	Description
`Secure_Channel_name`	—
`User_name`	—
`Domain_name`	—
`Workstation_name`	—
`Secure_Channel_type`	—
`SChannelName`	—
`UserName`	—
`DomainName`	—
`WorkstationName`	—
`SChannelType`	—

Event ID 8006 — Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: %1
User name: %2
Domain name: %3
Workstation name: %4
Secure Channel type: %5

Audit NTLM authentication requests within the domain %3 that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.

If you want to allow NTLM authentication requests in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain %3, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain %3 to which clients are allowed to use NTLM authentication.

Fields

Name	Description
`Secure_Channel_name`	—
`User_name`	—
`Domain_name`	—
`Workstation_name`	—
`Secure_Channel_type`	—
`SChannelName`	—
`UserName`	—
`DomainName`	—
`WorkstationName`	—
`SChannelType`	—

Event ID 9000 — Netlogon failed to retrieve the password for account %1 in domain %2.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Netlogon failed to retrieve the password for account %1 in domain %2. %3

Fields

Name	Description
`AccountName`	—
`AccountDomain`	—
`Status`	—

Event ID 9001 — The account %1 cannot be used as managed service account on the local machine because not all the supported encryption types of the account are sup...

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

The account %1 cannot be used as managed service account on the local machine because not all the supported encryption types of the account are supported by the local machine.

Fields

Name	Description
`Account`	—

Event ID 9002 — Netlogon failed to add %1 as a managed service account to this local machine.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Netlogon failed to add %1 as a managed service account to this local machine. %2

Fields

Name	Description
`Account`	—
`Status`	—

Event ID 9003 — Netlogon failed to remove the managed service account %1 from this local machine.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Netlogon failed to remove the managed service account %1 from this local machine. %2

Fields

Name	Description
`Account`	—
`Status`	—

Event ID 9004 — A total of %1 DC locator queries were rejected since the last reported event because they would have exceeded the configured maximum on concurrent ...

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

A total of %1 DC locator queries were rejected since the last reported event because they would have exceeded the configured maximum on concurrent network discovery operations.

Fields

Name	Description
`RequestsRejected`	—

Event ID 9005 — Secure channel setup has failed with Kerberos.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Secure channel setup has failed with Kerberos: %1. Falling back to Netlogon.

Fields

Name	Description
`Status`	—

Event ID 9006 — Secure channel setup has failed.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Secure channel setup has failed : %1. Protocol used: %2.

Fields

Name	Description
`Status`	—
`Protocol`	—

Event ID 9007 — Netlogon is currently configured to allow mailslot messages to be used when locating domain controllers.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Netlogon is currently configured to allow mailslot messages to be used when locating domain controllers. This mode is unsecure and will be deprecated and removed in a future release.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Event ID 9008 — Netlogon is currently configured to listen for mailslot messages sent by clients during a domain controller location operation.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Netlogon is currently configured to listen for mailslot messages sent by clients during a domain controller location operation. This mode is unsecure and will be deprecated and removed in a future release.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Event ID 9009 — Netlogon was unable to find the domain name '.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Netlogon was unable to find the domain name '%1' using any of the known domain name mapping sources. This may cause failures to locate domain controllers in that domain.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Fields

Name	Description
`DomainName`	—

Event ID 9010 — Netlogon discovered a DC using the Netbios protocol.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Netlogon discovered a DC using the Netbios protocol. This mode is unsecure and will be deprecated and removed in a future release.

DNS domain name:%1
Netbios domain name:%2

DC:%3


See https://aka.ms/dclocatornetbiosdeprecation for more information.

Fields

Name	Description
`DNSDomainName`	—
`DomainName`	—
`DomainController`	—

Event ID 9011 — Netlogon successfully downloaded the latest administrator-configured domain name mappings.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Netlogon successfully downloaded the latest administrator-configured domain name mappings. Run 'nltest.exe /list_dclocmappings' to view the data.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Event ID 9012 — Netlogon failed to download the latest administrator-configured domain name mappings.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Netlogon failed to download the latest administrator-configured domain name mappings.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Event ID 9013 — Netlogon successfully downloaded the latest trusted-domain-based domain name mappings.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Netlogon successfully downloaded the latest trusted-domain-based domain name mappings. Run 'nltest.exe /list_dclocmappings' to view the data.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Event ID 9014 — Netlogon failed to download the latest trusted-domain-based domain name mappings.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Netlogon failed to download the latest trusted-domain-based domain name mappings.

See https://aka.ms/dclocatornetbiosdeprecation for more information.

Event ID 9015 — Netlogon denied an RPC call.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Netlogon denied an RPC call. The policy is in enforce mode.

Client Information:
	Method name: %1
	Method opnum: %2
	Client address: %3
	Client identity: %4

For more information, see https://aka.ms/dclocatorrpcpolicy

Fields

Name	Description
`Method_name`	[Client Information] Method name.
`Method_opnum`	[Client Information] Method opnum.
`Client_address`	[Client Information] Client address.
`Client_identity`	[Client Information] Client identity.
`MethodName`	—
`MethodOpnum`	—
`ClientAddress`	—
`ClientSid`	—

Event ID 9016 — Netlogon allowed an RPC call that normally would have been denied.

Provider: Microsoft-Windows-Security-Netlogon
Channel: Operational

Message

Netlogon allowed an RPC call that normally would have been denied. The policy is in audit mode.

Client Information:
	Method name: %1
	Method opnum: %2
	Client address: %3
	Client identity: %4

For more information, see https://aka.ms/dclocatorrpcpolicy

Fields

Name	Description
`Method_name`	[Client Information] Method name.
`Method_opnum`	[Client Information] Method opnum.
`Client_address`	[Client Information] Client address.
`Client_identity`	[Client Information] Client identity.
`MethodName`	—
`MethodOpnum`	—
`ClientAddress`	—
`ClientSid`	—