Good morning!
Recently we were scrutinizing the security logs and have discovered some strange security events logged on our DCs security logs.
The Event ID 4625 with Logon Type 3 relates to failed logon attempts via network.
These logons was on other machines that are SCCM (Config Manager) Clients. The logs does indicate the user logon names as well as the machines it took place. However, I must say that the actual logons was legit, meaning user used the correct login name and even correct password but on SCCM Security Logs it registered a failed login attempt with the Event ID 4625 and Logon Type 3. For info, there are no shared resources mapped to these machines. However, If it was an administrator of SCCM that logon to that machine, no logs will be registered.
Is anyone aware of such behavior in SCCM?
Thank you and best regards.
Ronald