If you see this error regularly, it could be related to permissions on shared folders or drives and/or improperly configured user accounts with insufficient access rights. Still, it’s worth checking out because if left unattended, the user may gain access.

What is Event ID 4663?

Event ID 4663 is logged when a particular operation is performed on an object. This event can be viewed in the Security log and has a target of the security log. The Event ID 4663 will be recorded in the security log when a user attempts to perform an operation that requires administrator permissions. The main categories of object types are as follows:

File system objects (for example, files, folders, or printers) Kernel objects (for example, processes and threads) Registry objects (for example, keys and values) System objects (for example, drivers) Objects on removable storage or devices

An attempt was made to access an object could mean:

Object is no longer present on the server – If you are having trouble accessing a file or folder, it means that this file or folder was deleted from the server. The object is present on the server, but its name is not valid – It’s possible that the object may have been deleted or renamed since it was last accessed.  Object is present on the server, but in a different location – This error can occur if you try to access a file or folder that has been moved or renamed.  The object is present on the server, but your account does not have access rights – This error occurs when your user account does not have sufficient read/write privileges for you to do so.

How can I fix Event ID 4663?

First off, ensure you check the following: SPONSORED

Turn on your firewall to ensure unauthorized access is limited. Also, check out what to do if you’re unable to turn on Windows Firewall. Check whether there’s a misconfiguration of the SACL (System Access Control List), which prevents users from accessing objects they should be allowed to.

1. Check and remove Event logs

The Event ID 4663 attempt may be due to an internal or external security breach, and a user account is being used by malicious software to access the system. This account may have been created by malware or by an attacker exploiting a vulnerability in network services.

2. Disable remote access

A Windows server can be accessed remotely if it is running a service. For example, if you want to access your server via Remote Desktop, you need to enable this feature. Disabling remote access should be a temporary security measure until you determine whether the Event ID 4663 is a brute-force attack. That’s all we had for this particular Event ID, but check out what we have in store. For instance, the Event ID 4648, where a logon using credentials was attempted. Share any additional thoughts on this topic in the comment section below.

SPONSORED Name * Email * Commenting as . Not you? Save information for future comments
Comment

Δ