Mail Security for Exchange - Windows Security Event log fills up with many Logon failures Event ID 4625 during a manual or scheduled scan of Exchange.
search cancel

Mail Security for Exchange - Windows Security Event log fills up with many Logon failures Event ID 4625 during a manual or scheduled scan of Exchange.

book

Article ID: 163121

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange

Issue/Introduction

When running a manual of scheduled scan of mailbox stores the Windows Security log fills with Logon failures.

In Windows Security Event log an entry similar to the following appears:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          X/XX/20XX XX:XX:XX AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Exchangeservername.example.com
Description:
An account failed to log on.

Subject:
    Security ID:        S-1-5-18
    Account Name:        Local Exchange Server
    Account Domain:        Exchange Server Domain
    Logon ID:        xxxxx

Logon Type:            3

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:        
    Account Domain:        

Failure Information:
    Failure Reason:        Account currently disabled.
    Status:            0xc000006e
    Sub Status:        0xc0000072

Process Information:
    Caller Process ID:    0x810
    Caller Process Name:    C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
    Workstation Name:    Exchange Server Name
    Source Network Address:    Exchange Server IP
    Source Port:        

Detailed Authentication Information:
    Logon Process:        Authz   
    Authentication Package:    Kerberos
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0

Cause

When Symantec Mail Security for Microsoft Exchange (SMSMSE) scans the Exchange Databases, SMSMSE impersonates each user to gain access to their mailbox contents. These events are written to the Security event log when SMSMSE attempts to impersonate a user account that is currently disabled to scan the mailbox associated with that disabled user account.

Resolution

These events can be safely ignored, they will not impact functionality of the server. To prevent these events from being written to the Security event log:

  1. Edit the scan in question.
  2. Select "Specific Mailboxes" in the Scan Location dialog window.
  3. Uncheck any mailboxes associated with disabled user accounts and these events will no longer be written.
Powered by Wolken Software