Windows Event ID 4624 Repeating With Resource Not Available

loggingwindows

We've recently started logging 4624 event IDs on our domain controllers to help track user activity. Overall this has been fine, but recently started getting these messages over and over again.

Feb 20 00:00:54 dc01.domain.com
Microsoft-Windows-Security-Auditing[536]: 2015-02-20 00:00:52
c01.domain.com AUDIT_SUCCESS 4624 [The description for EventID 4624
from source Microsoft-Windows-Security-Auditing cannot be found: The
publisher has been disabled and its resource is not available. This
usually occurs when the publisher is in the process of being
uninstalled or upgraded.

I know our OPs team recently updated the servers but it is still occurring and I haven't found many references to how to stop this. Has anyone else come across these logs? Thanks.

Best Answer

Event 4624 is a notification that an account was successfully logged on.

As for the error message about the publisher being disabled, this is an error Microsoft has provided a fix for here. It's apparently an oops by a Windows Update--the Event Log Readers group has lost a registry permission.

To C&P from the "let me fix it myself" instructions (in case of link rot):

Open Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press Enter.
Locate and then click the following registry keys:
HKEY_LOCAL_MACHINES\System\CurrentControlSet\services\eventlog\Security\Microsoft-Windows-Security-Auditing
Right click Microsoft-Windows-Security-Auditing in the left pane, and then click Permissions….
Click the Add… button in the permission dialog.
In the Enter the object names to select box, type Event Log Readers, and then click the Check Names button.
Click OK to close all dialog windows.

(They also include standard disclaimers about editing the registry, which I'm passing along here.)

Related Solutions

Windows – Starting RRAS service blocks RDP access to RRAS server on internal interface? (2008 R2)

Well, I'm sure there's some way to get it setup exactly as I wanted, but I reconfigured the server to have both NICs on the 'external' subnet (all of our IPs are public - .edu) and reconfigured RRAS VPN and everything is working fine without any additional static routes, etc.

Windows – How to log in, using SSPI, to SQL Server 2008 R2 on a server in one workgroup from a workstation in another

Eleven years ago, I worked around a similar problem problem by mapping a drive letter on my workstation to the remote machine and providing my credentials on the other machine. For you, that would look something like this (from a CMD or PSH shell):

net use x: \\REMOTEPCNAME\c$ /user:REMOTEPCNAME\john.doe

Clearly, that uses an "admin share" that you might not have access to. That wasn't a problem for me because I was a member of the Administrators group on that box. If you don't have admin access, you might have to get a public share set up (by someone with enough rights) and use that, which I believe may work even though I haven't tried it.

This trick was a pretty common thing to do back then, when domains were rarer and AD was a new-ish thing. Even though it isn't a very common thing to do anymore, I don't recall hearing that Microsoft had dropped or broken this workaround.

I've never seen SPNs used in any situation that did not have a full-blown Active Directory set up. IIRC, SPNs need Kerberos and Kerberos needs a domain. I suspect that the SPN lead is a red herring. Good luck.

Best Answer

Related Solutions

Windows – Starting RRAS service blocks RDP access to RRAS server on internal interface? (2008 R2)

Windows – How to log in, using SSPI, to SQL Server 2008 R2 on a server in one workgroup from a workstation in another

Related Topic