Purpose:
PDQ Deploy and PDQ Inventory successfully scans\deploys to computers, but it creates failed logon events ID 4625.
Resolution:
This is by design from Microsoft when a connection is made in either of these two scenarios:
- From a domain-joined computer to a workstation-only computer
- From a computer in one domain, to a computer in another domain
This happens outside of PDQ when using SMB to transfer files from the PDQ Server to the Workgroup computer or to a computer in another domain.
If the computer where the connection is being initiated on is a part of a domain, it will first attempt to authenticate at the computer level and fails since the computer you are connecting to is not on the domain, then it authenticates at the user level using the account you have specified.
Every time you do an SMB file transfer it will attempt to reauthenticate at the computer level, thus generating the event ID 4625 multiple times.
To prevent this behavior, either both the PDQ Server and computers need to be on the same domain, or they both need to be in a Workgroup.
