Failed Security Audits 4625 HMWorker Exchange 2013

Failed Security Audits 4625 HMWorker Exchange 2013

One of the first problems I encountered after Installing Exchange 2013 on Windows Server 2012 ( and R2 ) was that my security log grew to 200k events in just a few days. Event ID 4625 Unknown user name or bad password coming from your Healthmailox usually under the name of HealthMailbox4d14f344f…@domainname. The process producing it was “C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe”. The problem itself is a bit masked. On the client side you can barely notice any problems but your Event Viewer is a different story. The problem indicates problems with your Health mailboxes even without upgrading or migrating. It happens with new installs too. So searching the web I found the solutions which at this point are very limited for such new technologies as Windows Server 2012 R2 and Exchange 2013.

I found the solution of re-creating your Health monitoring mailboxes to be working well for me. Here is how :

Open Exchange Management Shell as Administrator and type :

Get-Mailbox -monitoring | Get-MailboxStatistics


As you can see the ItemCount is large. We will be removing these mailboxes but we don’t have the full names displayed here. So we will run the same command put “| fl” it.

Get-Mailbox -monitoring | Get-MailboxStatistics | fl


Remove-Mailbox -Identity HealthMailbox4d14f344f6294c1fb8d3f45bf436452a and confirm Y.


Do this for the rest of the health monitoring mailboxes. Take their Identities from the “Get-Mailbox -monitoring | Get-MailboxStatistics | fl” command.

After your are done deleting them you will have to re-run the PrepareAD cmd from the Exchange setup.

Navigate your Exchange Shell to the bin directory of Exchange installation:

cd “Program Files\Microsoft\Exchange Server\V15\bin”

Once there type

setup.exe /preparead /iacceptexchangeserverlicenseterms

Wait for the setup to finish and restart the Exchange Health Manager service.

net stop msexchangehm

net start msexchangehm


This should re-create your health mailboxes. Run the Get-Mailbox -monitoring | Get-MailboxStatistics to double check.




6114 Total Views 16 Views Today

4 thoughts on “Failed Security Audits 4625 HMWorker Exchange 2013

  1. Thanks for sharing your solution. No more audit failures Event ID 4625 after applying your fix. Note that ‘Get-Mailbox -monitoring | Get-Mailbox Statistics’ didn’t work. Changed it into ‘Get-Mailbox -monitoring | Get-MailboxStatistics’. Also you have to wait for a couple of minutes in order to have the healthmailboxes to be created. My clean Exchange 2013 showed three healthmailboxes and after applying the fix there are two.

  2. Right direction but 100% correct, you can skip PrepareAD.
    This is article is shows the right way:

    To recreate the health mailboxes you just need to delete the mailbox user in your active directory (default location: Exchange System Objects/Monitoring Mailboxes) and after that you restart the hm service (restart-service MSExchangeHM) and the health mailboxes will be recreated automatically.

  3. Just an FYI. If you delete the health mailboxes, or remove them from AD, restart the MSExchangeHM service on ALL Exchange servers in the organizations or you will get 4625 security event log entries on those servers were the service was not restarted.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.