Windows logon type 5 failure troubleshooting

16 views
Skip to first unread message

Dave Lum

unread,
Dec 12, 2025, 11:08:18 AM (10 days ago) Dec 12
to ntsys...@googlegroups.com

Recently I set up notices when there’s a failure for a Widows Service logon (logon type 5).   Normally I see these when a service account password has expired or locked out, but I am also seeing them when (I think) a Windows Service on ServerA running under a domain account tries to do something on ServerB that it doesn’t have permissions for.

The entry I get is, basically “Service logon failure on ServerB”, but Server B does not have any services running under a domain account. The calling process with this failure is C:\Windows\System32\svchost.exe which….isn’t helpful.

In my specific case, it’s a gMSA account logon failure, so I know which pool of servers are generating this request but I don’t know how to dig deeper to find out.  The logon failure is infrequent, so doing a Wireshark isn’t practical. The “fix” is probably enabling ServerB to use the gMSA but I don’t want that permission allowed here.

Anyone have an idea on how to chase this one down?

 

Dave Lum (he/him)

Systems Administrator III
P: 503.546.2163
E: lu...@ochin.org
A: 1881 SW Naito Parkway, Portland, OR 97201


Facebook LinkTwitter LinkLinkedin Link www.ochin.org
OCHIN email

 

 

Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender with a copy to compl...@ochin.org, delete this email and destroy all copies.

Michael B. Smith

unread,
Dec 12, 2025, 11:53:08 AM (10 days ago) Dec 12
to ntsys...@googlegroups.com

Probably with enhanced auditing.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/PH0PR17MB4921F22D7560F9F2C581DF5ADDAEA%40PH0PR17MB4921.namprd17.prod.outlook.com.

Dave Lum

unread,
Dec 12, 2025, 5:31:26 PM (9 days ago) Dec 12
to ntsys...@googlegroups.com

Thanks! I’ll see what I can figure out.

 

Dave

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Michael B. Smith
Sent: Friday, December 12, 2025 8:53 AM
To: ntsys...@googlegroups.com

Subject: [ntsysadmin] RE: Windows logon type 5 failure troubleshooting

 

CAUTION: This email originated from outside of OCHIN’s network

Do not click links or open attachments unless you recognize the sender and know the content is safe. If you suspect this email is phishing or a scam, use the report button in the Outlook toolbar to report it to Desktop Support.

 

Reply all
Reply to author
Forward
0 new messages