Navigation section

id 4648

About this tag
Event ID 4648 in Windows Event Viewer indicates a logon attempt using explicit credentials, often triggered when a user accesses a network resource with alternate credentials. In this context, a non-domain computer accessing a folder on a file server via a shortcut with Active Directory credentials can generate numerous ID 4648 events. The issue is compounded when the associated user account becomes locked in Active Directory repeatedly. Troubleshooting involves examining the event details for the source process and target server, checking for scheduled tasks or services using stored credentials, and reviewing security logs for related events like 4625. This tag covers discussions about identifying and resolving excessive ID 4648 events and account lockouts.
  1. H

    Windows 10 Lots of ID 4648 in Event Viewer

    Hello, I have a computer that is not a member of a Windows domain and I access a folder on the file server through a shortcut and username defined in Active Directory. When I check the Event Viewer, there are a lot of ID 4648 and the username is locked in Active Directory: I unlock the...
    • hack3rcon
    • Thread
    • active directory authentication credential management domain event log event viewer file server id 4648 network security runas.exe security audits security logs shortcut access troubleshooting
    • Replies: 5
    • Forum: Windows Help and Support
Back
Top