Event-o-Pedia EventID 4825 - A user was denied the access to Remote Desktop.

	Event Details
	User Activity->Logons->Failed Logons->Windows 2008->EventID 4825 - A user was denied the access to Remote Desktop.

EventID 4825 - A user was denied the access to Remote Desktop.

Linked Event:

EventID 4825 - A user was denied the access to Remote Desktop.

Sample:

A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.

Subject:
	User Name:	rgong
	Domain:		ITSS
	Logon ID:	0x6BD2593D

Additional Information:
	Client Address:	10.154.12.144
===========================
Description template stored in adtschema.dll:
===========================
A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.

Subject:
	User Name:	%1
	Domain:		%2
	Logon ID:	%3

Additional Information:
	Client Address:	%4

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows Vista (2008) Windows 7 (2008 R2) Windows 8 (2012) Windows 8.1 (2012 R2) Windows 10 (2016)
Category	Logon/Logoff
Source	Microsoft-Windows-Security-Auditing
TaskCategory	Other Logon/Logoff Events
EventId	4825

Field Matching

Field	Description	Stored in	Sample Value
When	At what date and time a user activity originated in the system.	DateTime	10.10.2000 19:00:00
Who	Account or user name under which the activity occured.	Subject: Account Name	rgong
What	The type of activity occurred (e.g. Logon, Password Changed, etc.)	"Access to Remote Desktop denied"	Access to Remote Desktop denied
Where	The name of the workstation/server where the activity was logged.	Computer	DC1
Where From	The name of the workstation/server where the activity was initiated from.	Additional Information: Client Address	10.154.12.144
Severity	Specify the seriousness of the event.	-	High
WhoDomain		Subject: Account Domain	ITSS
WhereDomain		-
Result	Successful or Failed.	"Failed"	Failed
Failure Reason	Failure Reason - Bad user name or password, not enough privileges, etc.	"Access to Remote Desktop denied"	Access to Remote Desktop denied