ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event ID 6272InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 6272Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 6272 represents a successful network access grant by Microsoft Network Policy Server, which serves as a RADIUS server in Windows Server environments. When a client device attempts to connect to a network resource protected by 802.1X authentication, VPN access, or wireless security, the authentication request flows through NPS for policy evaluation and access control decisions.

The event contains comprehensive details about the authentication session, including the requesting client's identity, authentication method used (such as EAP-TLS, PEAP, or MS-CHAP), network access server information, and the specific network policy that authorized the connection. This information proves invaluable for security auditing, compliance reporting, and troubleshooting network access issues.

NPS evaluates incoming RADIUS Access-Request messages against configured connection request policies and network policies. When both authentication and authorization succeed, NPS sends a RADIUS Access-Accept message to the network access server and logs Event ID 6272 to document the successful access grant. The event includes session identifiers, IP addresses, and policy details that administrators can correlate with other network events for comprehensive access tracking.

In modern enterprise environments running Windows Server 2025 and updated NPS implementations, this event supports enhanced logging capabilities and integration with cloud-based identity services, providing richer context for network access decisions and improved visibility into authentication patterns across hybrid infrastructure deployments.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025
Analysis

Possible Causes

  • Successful user authentication through 802.1X wireless or wired network access
  • VPN client successfully connecting through NPS-protected remote access
  • Network device authentication completing RADIUS authorization process
  • DirectAccess client establishing connection through NPS policy validation
  • Web application proxy authentication succeeding through NPS backend
  • Network access server forwarding successful authentication to NPS for logging
  • Certificate-based authentication completing through EAP-TLS or PEAP protocols
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the complete event details to understand the authentication context and client information.

  1. Open Event Viewer on your NPS server or domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 6272 using the filter option
  4. Double-click on a recent Event ID 6272 entry to view full details
  5. Review the following key fields in the event description:
    • User Name: Identity of the authenticated user or device
    • Client Machine: Source device requesting access
    • Authentication Type: Method used (EAP-TLS, PEAP, etc.)
    • Network Policy Name: Applied policy that granted access
    • NAS IP Address: Network access server handling the request
  6. Note the timestamp and session identifier for correlation with other events
Pro tip: Export these events to CSV for analysis when investigating access patterns or compliance reporting requirements.
02

Query Events with PowerShell for Analysis

Use PowerShell to extract and analyze Event ID 6272 entries for detailed network access reporting.

  1. Open PowerShell as Administrator on your NPS server
  2. Run this command to retrieve recent NPS access grants:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=6272} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap
  1. For more detailed analysis, extract specific properties:
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=6272} -MaxEvents 100
$Events | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $Properties = $EventXML.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        UserName = ($Properties | Where-Object {$_.Name -eq 'SubjectUserName'}).InnerText
        ClientMachine = ($Properties | Where-Object {$_.Name -eq 'CallingStationId'}).InnerText
        NASIPAddress = ($Properties | Where-Object {$_.Name -eq 'NASIPAddress'}).InnerText
        AuthenticationType = ($Properties | Where-Object {$_.Name -eq 'AuthenticationType'}).InnerText
    }
} | Export-Csv -Path "C:\Temp\NPS_Access_Grants.csv" -NoTypeInformation
  1. Review the exported CSV file for access patterns and policy compliance
Pro tip: Schedule this PowerShell script to run daily for automated network access reporting and compliance documentation.
03

Correlate with Network Policy Configuration

Verify that the network policies referenced in Event ID 6272 align with your intended access control configuration.

  1. Open Network Policy Server management console
  2. Navigate to PoliciesNetwork Policies
  3. Locate the policy name mentioned in the Event ID 6272 details
  4. Right-click the policy and select Properties
  5. Review the following policy settings:
    • Conditions: Verify user groups, device types, and time restrictions
    • Constraints: Check authentication methods and session limits
    • Settings: Confirm VLAN assignments and bandwidth restrictions
  6. Cross-reference the policy settings with the user/device information from the event
  7. Use PowerShell to export current network policy configuration:
Import-Module NetworkPolicy
Get-NpsNetworkPolicy | Select-Object PolicyName, ProcessingOrder, PolicySource, Enabled | Format-Table -AutoSize
  1. Document any discrepancies between intended policy behavior and actual access grants
Warning: Ensure that overly permissive network policies are not granting unintended access to sensitive network segments.
04

Monitor Authentication Methods and Security Posture

Analyze the authentication methods captured in Event ID 6272 to ensure strong security practices are being enforced.

  1. Create a PowerShell script to analyze authentication method distribution:
$StartDate = (Get-Date).AddDays(-7)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=6272; StartTime=$StartDate}

$AuthMethods = @{}
$Events | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $AuthType = ($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'AuthenticationType'}).InnerText
    if ($AuthMethods.ContainsKey($AuthType)) {
        $AuthMethods[$AuthType]++
    } else {
        $AuthMethods[$AuthType] = 1
    }
}

Write-Host "Authentication Method Distribution (Last 7 Days):"
$AuthMethods.GetEnumerator() | Sort-Object Value -Descending | Format-Table Name, Value
  1. Review the output to identify weak authentication methods
  2. Check for certificate-based authentication usage:
$CertAuthEvents = $Events | Where-Object {
    $EventXML = [xml]$_.ToXml()
    $AuthType = ($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'AuthenticationType'}).InnerText
    $AuthType -like "*TLS*" -or $AuthType -like "*Certificate*"
}

Write-Host "Certificate-based authentications: $($CertAuthEvents.Count) out of $($Events.Count) total"
Write-Host "Certificate adoption rate: $(($CertAuthEvents.Count / $Events.Count * 100).ToString('F2'))%"
  1. Generate a security posture report based on authentication strength
  2. Review NPS server certificate configuration in HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
Pro tip: Implement certificate-based authentication (EAP-TLS) wherever possible to eliminate password-based attack vectors in network access scenarios.
05

Implement Advanced Monitoring and Alerting

Set up comprehensive monitoring for Event ID 6272 to detect unusual access patterns and potential security issues.

  1. Create a scheduled task to monitor for suspicious access patterns:
# Create monitoring script: C:\Scripts\NPSMonitoring.ps1
$StartTime = (Get-Date).AddHours(-1)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=6272; StartTime=$StartTime}

# Check for unusual access patterns
$ClientCounts = @{}
$Events | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $Client = ($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'CallingStationId'}).InnerText
    if ($ClientCounts.ContainsKey($Client)) {
        $ClientCounts[$Client]++
    } else {
        $ClientCounts[$Client] = 1
    }
}

# Alert on clients with excessive authentication attempts
$SuspiciousClients = $ClientCounts.GetEnumerator() | Where-Object {$_.Value -gt 10}
if ($SuspiciousClients) {
    $AlertMessage = "Suspicious NPS activity detected. Clients with >10 authentications in last hour: $($SuspiciousClients.Name -join ', ')"
    Write-EventLog -LogName Application -Source "NPS Monitor" -EventId 1001 -EntryType Warning -Message $AlertMessage
}
  1. Register the custom event source for monitoring alerts:
New-EventLog -LogName Application -Source "NPS Monitor"
  1. Create a scheduled task to run the monitoring script:
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\NPSMonitoring.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Hours 1) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName "NPS Access Monitor" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"
  1. Configure Windows Event Forwarding to centralize NPS events across multiple servers
  2. Set up custom views in Event Viewer for rapid analysis of access patterns
Warning: Ensure monitoring scripts have appropriate permissions and error handling to prevent service disruption during automated execution.

Overview

Event ID 6272 fires when Microsoft Network Policy Server (NPS) successfully grants network access to a client after completing authentication and authorization processes. This event appears in the Security log on domain controllers and NPS servers running the Network Policy and Access Services role. The event captures critical details about successful RADIUS authentication attempts, including client information, authentication methods, and applied network policies.

This event is essential for network access auditing in enterprise environments using 802.1X authentication, VPN connections, wireless networks, and other RADIUS-based authentication scenarios. System administrators rely on this event to track successful network access grants, validate policy enforcement, and maintain compliance with security requirements. The event provides detailed information about which users or devices gained network access, when the access was granted, and which network policies were applied during the authorization process.

Understanding Event ID 6272 helps administrators monitor network access patterns, troubleshoot authentication issues, and ensure that network access controls are functioning correctly across their infrastructure.

Frequently Asked Questions

What does Event ID 6272 mean and when does it occur?+
Event ID 6272 indicates that Network Policy Server (NPS) has successfully granted network access to a user or device after completing authentication and authorization processes. This event occurs when clients successfully authenticate through RADIUS protocols for network access, including 802.1X wireless connections, VPN access, wired network authentication, and other NPS-protected resources. The event captures details about the authenticated user, client device, authentication method used, and the network policy that authorized the access.
How can I identify which network policy granted access in Event ID 6272?+
The network policy name is included in the Event ID 6272 details within the Security log. Open Event Viewer, navigate to Windows Logs → Security, and double-click on the Event ID 6272 entry. Look for the 'Network Policy Name' field in the event description. You can also extract this information using PowerShell by parsing the event XML data and filtering for the policy name property. Cross-reference this policy name with your NPS configuration in the Network Policy Server management console to verify the policy settings and conditions that allowed the access.
Can Event ID 6272 help me track certificate-based authentication usage?+
Yes, Event ID 6272 includes authentication method details that help track certificate-based authentication adoption. The event captures the authentication type used, such as EAP-TLS for certificate-based authentication or PEAP for password-based methods. You can use PowerShell to analyze these events and generate reports showing the distribution of authentication methods across your network. This information is valuable for security posture assessment and ensuring strong authentication practices are being enforced throughout your infrastructure.
How often should I review Event ID 6272 entries for security monitoring?+
Review Event ID 6272 entries regularly as part of your security monitoring routine. For high-security environments, implement automated daily analysis using PowerShell scripts to identify unusual access patterns, authentication method distribution, and policy compliance. Weekly manual reviews help identify trends and potential security issues. Set up real-time alerting for suspicious patterns, such as excessive authentication attempts from single clients or access grants outside normal business hours. The frequency depends on your organization's risk tolerance and compliance requirements.
What should I do if I see unexpected Event ID 6272 entries in my logs?+
Unexpected Event ID 6272 entries require immediate investigation. First, examine the event details to identify the user, client device, authentication method, and network policy involved. Verify that the access aligns with legitimate business needs and authorized network usage. Check if the client device is managed and compliant with your security policies. Review the network policy configuration to ensure it's not overly permissive. If the access appears unauthorized, investigate potential security breaches, review user account activity, and consider temporarily disabling the involved network policy until the investigation is complete. Document all findings for security incident response procedures.
Documentation

References (2)

1
Microsoft Learn - Network Policy Server OverviewComprehensive documentation covering Network Policy Server configuration, RADIUS authentication, and policy management in Windows Server environments.https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top
2
Microsoft Docs - Security Auditing EventsOfficial reference for Windows security auditing events, including detailed explanations of authentication and authorization event logging.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-6272#nps-authentication#network-security

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Windows security monitoring dashboard displaying authentication package loading events in Event Viewer
Event 5632
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 5632 – LSA: Authentication Package Loaded

Event ID 5632 indicates that an authentication package has been loaded by the Local Security Authority (LSA). This security audit event tracks when authentication providers are initialized during system startup or security subsystem changes.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...