- Event ID : 4625
- Caller Process Name : dllhost.exe
- Happened within the same seconds for all users
It is quite impossible for all users to coincidentally failed to log on at the same time. At first we thought of the possibility of denial of service attack on the servers. After some browsing on the Internet and thinking through what we have done before this incident happened, we suspect that this is due to Account Management feature accessible from Control Panel.
We did some simple test to confirm the root cause of this issue:
1. Add audit success and audit failure on the Audit Policy under Local Security Policy setting
2. Open Event Viewer, go to Windows Log, Security
Filter Event ID : 4625
3. Open User Accounts under Control Panel
4. Click Manage Another Accounts link
This action will trigger Audit Failure on the Event Viewer Log for all user accounts
5. Go back to Event Viewer and press Refresh
You will notice a lot of Audit Failure Entry which occurred at the same time.
This will trigger account lock out if Account Lockout Policy is configured