none
tons of windows 4648 events, ata gateway connecting to different windows machines using ata service account RRS feed

  • Question

  • Hi,

    I just installed ATA1.9. I found that many windows 4648 events from ata gateway to different windows machines in the domain using the ata service account. May I know if it is normal?

    Watch

    ===========

    05/11/2018 10:45:13 AM
    LogName=Security
    SourceName=Microsoft-Windows-Security-Auditing
    EventCode=4648
    Type=Information
    ComputerName=atagateway.abc.com
    RecordNumber=648900
    Message=A logon was attempted using explicit credentials.

    Subject:
    Security ID: S-1-5-19
    Account Name: LOCAL SERVICE
    Account Domain: NT AUTHORITY
    Logon ID: 0x9D2BB3
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Account Whose Credentials Were Used:
    Account Name: ata
    Account Domain: abc.com
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Target Server:
    Target Server Name: pc1.abc.com
    Additional Information: pc1.abc.com

    Process Information:
    Process ID: 0x4
    Process Name:

    Network Information:
    Network Address: -
    Port: -

    This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.


    Friday, May 11, 2018 2:56 AM

Answers

  • Hello,

    I think this is by design.

    According to the following information, ATA should query the endpoints using the directory service user account.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by KHart85Banned Friday, May 11, 2018 10:28 AM
    • Marked as answer by SmartWatch888 Tuesday, May 15, 2018 4:18 AM
    Friday, May 11, 2018 7:35 AM
    Moderator