This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 78%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello!
Windows Server 2016\2019, Active Directory
I see in some 4624 events wrong WorkstationName (my DC's name). For example:
In event 4624 when I login in server1 i see
{ "text": "DC-01", "Name": "WorkstationName" },
..................................
{ "text": "C:\Windows\System32\lsass.exe", "Name": "ProcessName" },
{ "text": "192.168.1.50", "Name": "IpAddress" },
In most events 4624 field WorkstationName is correct. Why this field is wrong in some events?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
We are checking in to see if the provided information was helpful. If the reply is helpful, we would appreciate you to accept it as answer.
Please let us know if you would like further assistance. Thanks.
Best Regards,
Hannah Xiong
Hello,
I am checking how the issue is going, if you still have any questions, please feel free to contact us.
Thank you so much for your time and support.
Best regards,
Hannah Xiong
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I'd check that domain health is 100% also check the domain controller event logs for related errors.
--please don't forget to Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
In most events 4624 field WorkstationName is correct. Why this field is wrong in some events?
I invite you to read this this article talking about the definition of each information provided on this event 4624 , it can explain this behavior : event-4624
Workstation Name is the machine name to which logon attempt was performed. (it's the domain controller DC-01 in your case )
Source Network Address is the IP address of machine from which logon attempt was performed. ( The server in your case)
Please Don't forget to mark this reply asn answer if it help you to fix your issue
But I have events where WorkstationName empty or contains real PC's name.
You mean if domain authentication are used, WorkstationName always DC?
It's strange. We have "Computer" field in a "System" block to information where this event were created.
"System": {
"Provider": {
"Name": "Microsoft-Windows-Security-Auditing",
............................
"Channel": "Security",
"Computer": "DC-01.main.contoso.com",
Hello,
Thank you so much for posting here.
Did we check the event 4624 on Domain Controllers?
Event ID 4624 (viewed in Windows Event Viewer) documents every successful attempt at logging on to a local computer. This event is generated on the computer that was accessed, in other words, where the logon session was created.
This Network Information section identifies WHERE the user was when he logged on. Of course if logon is initiated from the same computer this information will either be blank or reflect the same local computers.
Workstation Name: the computer name of the computer where the user is physically present in most cases unless this logon was intitiated by a server application acting on behalf of the user. Workstation may also not be filled in for some Kerberos logons since the Kerberos protocol doesn't really care about the computer account in the case of user logons and therefore lacks any field for carrying workstation name in the ticket request message.
Source Network Address: the IP address of the computer where the user is physically present in most cases unless this logon was intitiated by a server application acting on behalf of the user. If this logon is initiated locally the IP address will sometimes be 127.0.0.1 instead of the local computer's actual IP address. This field is also blank sometimes because Microsoft says "Not every code path in Windows Server 2003 is instrumented for IP address, so it's not always filled out."
Reference: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.