Why does my account keeps getting locked? What does the log Event 4648 means?
I have this problem I just cant seem to find the source. My AD account keeps getting locked. Using lockout status and looking at the netlogon log i figured out which PC it is. I know which process is locking me: spoolsv.exe. Spoolsv.exe is running as system not as me but I get this log entry.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 3/28/2014 9:45:01 AM
Event ID: 4648
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: computer.MYDOMAIN.NET
Description:
A logon was attempted using explicit credentials.
Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x79F5 Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used: Account Name: Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server: Target Server Name: FILESERVER.MYDOMAIN.NET Additional Information: FILESERVER.MYDOMAIN.NET
Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\spoolsv.exe
Network Information: Network Address: - Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Event Xml:
<Event xmlns=""> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4648</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2014-03-28T13:45:01.502850800Z" /> <EventRecordID>308669</EventRecordID> <Correlation /> <Execution ProcessID="784" ThreadID="5280" /> <Channel>Security</Channel> <Computer>computer.MYDOMAIN.NET</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-0-0</Data> <Data Name="SubjectUserName">-</Data> <Data Name="SubjectDomainName">-</Data> <Data Name="SubjectLogonId">0x79f5</Data> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TargetUserName"></Data> <Data Name="TargetDomainName"> </Data> <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TargetServerName">FILESERVER.MYDOMAIN.NET</Data> <Data Name="TargetInfo">FILESERVER.MYDOMAIN.NET</Data> <Data Name="ProcessId">0x544</Data> <Data Name="ProcessName">C:\Windows\System32\spoolsv.exe</Data> <Data Name="IpAddress">-</Data> <Data Name="IpPort">-</Data> </EventData>
</Event>I have no idea at all how to fix this. Thanks for any help you can give me.
92 Answers
This is commonly from cached credentials used to access a network resource (as noted in comments)
You can remove the authenticated credentials from:
Control Panel\All Control Panel Items\User Accounts
click the username 1.To the left you will see Manage your credentials. From that select the share/resource name and remove
You will need to find any and all systems that use the credentials.
4Try
psexec -i -s -d cmd
cmdkey /listThis shows if system account has any credentials stored, remove them with cmdkey /delete:target
e.g.
cmdkey /delete:192.168.1.2
