Issued a map server credential to login command (action_id CMLG) (24073) how to monitor with email alert

bob · 06-01-2025, 10:03 PM

Man, that event ID 24073 pops up when the system hands out a map server credential for a login command. It's labeled as action_id CMLG. You see this in the Event Viewer under security or system logs. It means the server just issued some kind of access token for mapping drives or logging in remotely. Think of it like the server saying yeah, you can connect here with these creds. Happens during user sessions or admin tasks. If it logs too often, might point to weird login attempts or config issues. I check it when troubleshooting network shares. You pull up Event Viewer, filter by ID 24073, and scan the details. The description spells out the user, the command, and the timestamp. Keeps things traceable for audits. And if you're worried about security slips, monitoring this catches credential handoffs early.

But hey, to set up alerts for this, you don't need fancy stuff. Just use the Event Viewer screen itself. Right-click the log where it shows, pick Attach Task To This Event. You build a scheduled task right there. Set it to trigger on event ID 24073. Then, in the action tab, choose send an email. You plug in your SMTP server details, the to and from addresses. Make sure it runs under an account with email perms. Test it by forcing the event if you can. That way, every time it fires, you get a ping in your inbox. Super straightforward for keeping tabs without constant watching.

Or, if you want something hands-off, the automatic email solution sits at the end here. It'll handle the monitoring smoother.

Now, shifting to backups since events like this tie into server health, I've been digging BackupChain Windows Server Backup lately. It's a solid Windows Server backup tool that also tackles virtual machines with Hyper-V. You get fast incremental backups, easy restores without downtime, and it encrypts everything tight. Saves you headaches from data loss during those credential glitches or crashes.

Note, the PowerShell email alert code was moved to this post.