DocumentationRelease Notes
Documentation

Event IDs

Suggest Edits

This is not a comprehensive list of event IDs. The full list will be available at a later date.

LSASS events

Event nameEvent IDDescription
LSASSSERVICESTARTED1000The authentication service was started.
LSASSSERVICECONFIGURATIONCHANGED1004AD Bridge authentication service provider configuration settings have been reloaded.
SUCCESSFULLOGONCREATESESSION1201Successful logon: Authentication provider lsa-local-provider
Successful logon: Authentication provider lsa-activedirectory-provider
SUCCESSFULLOGONCHECKUSER1203Successful logon: Authentication provider lsa-local-provider
Successful logon: Authentication provider lsa-activedirectory-provider
FAILEDLOGONACCOUNTDISABLED1207Logon Failure: Authentication provider: lsa-activedirectory-provider
FAILEDLOGONPASSWORDEXPIRED1211Logon Failure: Authentication provider: lsa-activedirectory-provider
SUCCESSFULLOGOFF1220User Logoff: Authentication provider lsa-local-provider
User Logoff: Authentication provider lsa-activedirectory-provider
SUCCESSFULINITIATIONOFADSESSION1224An Active Directory user account has initiated an active session
SUCCESSFULTERMINATIONOFADSESSION1225An Active Directory user account has terminated their active session.
SUCCESSFULAUTHENTICATIONSSH1230Successful Logon: Authentication provider: lsa-local-provider
Successful Logon: Authentication provider: lsa-activedirectory-provider
SUCCESSFULAUTHENTICATIONOTHER1249Successful Logon: Authentication provider: lsa-activedirectory-provider
FAILEDAUTHENTICATIONSSH1250Logon Failure: Authentication provider: lsa-activedirectory-provider
Logon Failure: Authentication provider: lsa-local-provider ….
FAILEDAUTHENTICATIONOTHER1269Logon Failure: Authentication provider: lsa-activedirectory-provider
SUCCESSFULUSERACCOUNTPASSWORDCHANGE1300Change Password Attempt: Authentication provider: lsa-activedirectory-provider
FAILEDUSERACCOUNTPASSWORDCHANGE1301Change Password Attempt: Authentication provider: lsa-activedirectory-provider
SUCCESSFULUSERACCOUNTKERBREFRESH1302Refreshed Active Directory user account Kerberos credentials.
Authentication provider: lsa-activedirectory-provider
SUCCESSFULMACHINEACCOUNTPASSWORDUPDATE1320Updated Active Directory machine password.
Authentication provider: lsa-activedirectory-provider
SUCCESSFULMACHINEACCOUNTTGTREFRESH1322Refreshed Active Directory machine account TGT (Ticket Granting Ticket).
Authentication provider: lsa-activedirectory-provider
ADDUSERACCOUNT1400User account created. Authentication provider: lsa-local-provider
SUCCESSFULPROVIDERINITIALIZATION1500AD Bridge authentication service provider initialization succeeded. Authentication provider: lsa-activedirectory-provider
AD Bridge authentication service provider initialization succeeded. Authentication provider: lsa-local-provider
FAILEDPROVIDERINITIALIZATION1501AD Bridge authentication service provider initialization failed. Authentication provider: lsa-activedirectory-provider
REQUIREMEMBERSHIPOFUPDATED1502AD Bridge authentication service provider login restriction settings have been reloaded. Authentication provider: lsa-activedirectory-provider
AUDITINGCONFIGURATIONENABLED1503AD Bridge authentication service provider auditing settings have been updated. Authentication provider: lsa-activedirectory-provider
NETWORKDOMAINONLINE1700Detected domain controller for Active Directory domain. Switching to online mode: Authentication provider: lsa-activedirectory-provider
NETWORKDOMAINOFFLINE1701Detected unreachable global catalog server for Active Directory forest. Switching to offline mode: Authentication provider: lsa-activedirectory-provider
Detected unreachable domain controller for Active Directory domain. Switching to offline mode: Authentication provider: lsa-activedirectory-provider

Domain join events

Event nameEvent IDDescription
SUCCESSFULDOMAINJOIN1000Domain join successful. Domain name Domain name (short)
FAILEDDOMAINJOIN1001Domain leave failed. Reason message:
SUCCESSFULDOMAINLEAVE1002Domain leave successful. Domain name Domain name (short)
FAILEDDOMAINLEAVE1003Domain leave failed. Reason message:

GPAgent events

Event nameEvent IDDescription
GPAGENTSERVICESTARTED1000The AD Bridge group policy service was started.
GPAGENTSERVICECONFIGURATIONCHANGED1004AD Bridge group policy service provider configuration settings have been reloaded.
SUCCESSFULPOLICYUPDATE1100Group Policy update succeeded. Client-Side Extension: AD Bridge - GP Extension CSE library name :

User monitor events

Event nameEvent IDDescription
USERMONITORLOCALUSERGROUPADDED1000Between unknown and , user was added.
USERMONITORADUSERGROUPADDED1002, 1003, 1004Between unknown and , user/group <user/group> was added.

Netlogon events

Event nameEvent IDDescription
NETLOGONSERVICESTARTED1000The Likewise site manager service was started.
NETLOGONSERVICESTOPPED1002The Likewise site manager service was stopped.

Updated 12 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.