|
|
|
Forum Member
 
Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26,
Visits: 12
|
|
| Randy, I am seeing a ton of 4674 events related to a user's admin account as below. Any ideas? <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4674</EventID><Version>0</Version><Level>Information</Level><Task>Sensitive Privilege Use</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2010-07-01T00:00:03.765568100Z'/><EventRecordID>429068634</EventRecordID><Correlation/><Execution ProcessID='892' ThreadID='948'/><Channel>Security</Channel><Computer>computer.xxx.com</Computer><Security/></System><EventData>An operation was attempted on a privileged object. Subject:
Security ID: DOMAIN\admin-xxxxx Account Name: admin-xxxxx
Account Domain: DOMAIN
Logon ID: 0x1027f0c975 Object:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Object Handle: 0xfffffa600d374b18 Process Information:
Process ID: 0x370
Process Name: C:\Windows\System32\services.exe Requested Operation:
Desired Access: DELETE
READ_CONTROL
WRITE_DAC
Connect to service controller
Create a new service
Enumerate services
Lock service database for exclusive access
Query service database lock state
Set last-known-good state of service database
Privileges: SeTakeOwnershipPrivilege</EventData></Event>
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329,
Visits: 0
|
|
| As indicated in my encyclopedia these events are of limited value. The specific example you supplied indicates the account in question was doing something with Services on the computer. Maybe starting, stopping or installing a new service
|
|
|
|
|
Forum Member
Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26,
Visits: 12
|
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329,
Visits: 0
|
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/27/2017 5:09:54 PM
Posts: 1,
Visits: 22
|
|
| I have a network consisting of Windows Server 2012, 2 DCs, and approximately 65 Dell OptiPlex 7040MT workstations with Windows 10 Enterprise with military Secure Host Basline (SHB). All users constantly get the taskbar pop-up: "Windows needs your current credentials. Please lock then unlock using your most recent password or smart card." My admin account also gets it constantly. It makes no difference whether I or any other user locks and unlocks or whether you just ignore it. When it occurs, the event log gives the 4674 Event ID. Is there any way of getting rid of this ridiculously annoying pop-up. Already tried checking the account options checkbox for "Do not require Kerberos preauthentication" and it has made no difference. In addition when user's passwords expire and they create a new password, they get an error of "The encryption type requested is not supported by the KDC." Are these two somehow related?
|
|
|
|
|
Supreme Being
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237,
Visits: 0
|
|
| This event does not really tell you much. It seems like an issue with the secure configurations. Are there any other events at the time this issue is seen that may help?
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/14/2017 4:09:54 PM
Posts: 3,
Visits: 9
|
|
Does the message say "Audit Failure"? There are a lot of privileged permissions that get used during normal business. If accounts do not have these privileges then I would expect that windows would try to elevate so that what ever task it's trying to do can be completed. I would look a the event and determine what privilege it is trying to use and see if that user has it. These are not the normal things you think of as permissions (system, local admin). I believe the right term is "user rights". https://technet.microsoft.com/en-us/library/dn221963(v=ws.11).aspx
Requested Operation:
Desired Access: 0
Privileges: [highlight=#ffff11]SeShutdownPrivilege[/highlight]
|
|
|
|