Why is Guest account being used by Win Srv 2008 R2?

Forums Operating Systems Windows Server 2008 R2 Miscellaneous Why is Guest account being used by Win Srv 2008 R2?

Viewing 46 reply threads
  • Author
    Posts
    • #44048

      Hi all, I am using Win 2K8 R2 as a development workstation.

      I have been tracking down a security audit logon failure on a particular instance of Windows Server 2008 R2.

      One this one machine only, if I open Devices and Printers, right click on any of the Printers, click Printer Properties, then click the Sharing tab, I get a logon audit failure – printui.exe is trying to logon as Guest. Guest account is disabled which is why the audit failure occurs.

      Also, if I bring up Windows Explorer and click around in folders, I will get a logon security audit failure as well on the Guest account.I tied a task (popup window) to the logon failure event so I could immediately see it happen, and I also temporarily enabled the Guest account and verified the successful logon events were also recorded in these 2 cases.

      I have used SysInternals tools to try and track – if I enable GUEST the logons do not appear in LogonSessions, maybe they occur and complete too fast. I see no shares using GUEST in ShareEnum.

      Why is this happening, why does Devices and printers and Windows Explorer try to logon as Guest? BTW, this happens even if I am logged in as a Domain Admin.

      (BTW – system is AV/spyware free, I run HijackThis, spybot, and at least one other; system is also fully updated).

      As a follow up, I have another Win2K8 R2 box that acts as DC, where this does not happen – it does not use Guest to logon, so it gets no audit failures or audit successes for logging on. As far as I know the systems should be configured pretty much the same other than one being a DC and the other (offending) box just being a non-DC server. I have checked the Local Policy Settings extensively to see if something is different and I don’t see anything.

      So why does this one box insist on logging in as Guest for Windows Explorer and Devices and Printers/Sharing?

      Here is the event log–
      ==========
      Log Name: Security
      Source: Microsoft-Windows-Security-Auditing
      Date: 5/1/2010 7:07:53 AM
      Event ID: 4624
      Task Category: Logon
      Level: Information
      Keywords: Audit Success
      User: N/A
      Computer: WILDCAT.xxxxxxxxxxxxxxxxxxx
      Description:
      An account was successfully logged on.

      Subject:
      Security ID: xxxxxxxyyyyy
      Account Name: yyyyy
      Account Domain: xxxxxxx
      Logon ID: 0xdc92e

      Logon Type: 3

      New Logon:
      Security ID: WILDCATGuest
      Account Name: Guest
      Account Domain: WILDCAT
      Logon ID: 0x229dbd6
      Logon GUID: {00000000-0000-0000-0000-000000000000}

      Process Information:
      Process ID: 0x1420
      Process Name: C:WindowsSystem32printui.exe

      Network Information:
      Workstation Name: WILDCAT
      Source Network Address: –
      Source Port: –

      Detailed Authentication Information:
      Logon Process: Advapi
      Authentication Package: Negotiate
      Transited Services: –
      Package Name (NTLM only): –
      Key Length: 0

      This event is generated when a logon session is created. It is generated on the computer that was accessed.

      The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

      The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

      The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

      The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

      The authentication information fields provide detailed information about this specific logon request.
      – Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
      – Transited services indicate which intermediate services have participated in this logon request.
      – Package name indicates which sub-protocol was used among the NTLM protocols.
      – Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    • #50784

      Open up the local security policy of your machine and navigate to

      Local Policies > Security Options > Network Access: Sharing and security model for local accounts

      If the setting is set to guest only then the network logon will automatically mapped to Guest account. Check out this setting and see if it is the culprit. It might be.

    • #60603
      Anonymous

        Open up the local security policy of your machine and navigate to

        Local Policies > Security Options > Network Access: Sharing and security model for local accounts

        If the setting is set to guest only then the network logon will automatically mapped to Guest account. Check out this setting and see if it is the culprit. It might be.

      • #50785

        Thanks for the reply! I checked it, it’s set to “Classic – local users authenticate as themselves”.

        If you have any other ideas or hunches please let me know, as I am out of ideas. Thanks for your time!

      • #60604
        Anonymous

          Thanks for the reply! I checked it, it’s set to “Classic – local users authenticate as themselves”.

          If you have any other ideas or hunches please let me know, as I am out of ideas. Thanks for your time!

        • #50786

          @awalt wrote:

          Thanks for the reply! I checked it, it’s set to “Classic – local users authenticate as themselves”.

          If you have any other ideas or hunches please let me know, as I am out of ideas. Thanks for your time!

          Are you joined to a domain? Your logon type is set to 3 which is network logon which leads me to believe you are joined to a domain, check your domain security policy and see if its set to “guest only”.

        • #60605
          Anonymous

            @awalt wrote:

            Thanks for the reply! I checked it, it’s set to “Classic – local users authenticate as themselves”.

            If you have any other ideas or hunches please let me know, as I am out of ideas. Thanks for your time!

            Are you joined to a domain? Your logon type is set to 3 which is network logon which leads me to believe you are joined to a domain, check your domain security policy and see if its set to “guest only”.

          • #50787

            Thanks for your help? How do I change/examine this on the Domain Controller? This has changed a lot since I last looked at it on the DC side…

            PS yes I am on a domain…

          • #60606
            Anonymous

              Thanks for your help? How do I change/examine this on the Domain Controller? This has changed a lot since I last looked at it on the DC side…

              PS yes I am on a domain…

            • #50788

              On your domain controller…
              Start > Administrative Tools > Group Policy Management

              Expand Forest, then Domains. Click on your domain – wildcat I assume?

              Do you have any linked GPOs? Or just “default domain policy”

              Right-click on default domain policy and click edit.

              Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Sharing and security model for local accounts

              Check the condition of this setting tell me if it is defined or not, if it is not defined then the default is “Classic”.

              Also, is your user account a member of the Domain Admins group in Active Directory Users and Computers? Please report back with your findings, I hope we can solve this problem for you. Please excuse me I’m not an expert in Windows Server but I’m trying to learn.

            • #60607
              Anonymous

                On your domain controller…
                Start > Administrative Tools > Group Policy Management

                Expand Forest, then Domains. Click on your domain – wildcat I assume?

                Do you have any linked GPOs? Or just “default domain policy”

                Right-click on default domain policy and click edit.

                Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Sharing and security model for local accounts

                Check the condition of this setting tell me if it is defined or not, if it is not defined then the default is “Classic”.

                Also, is your user account a member of the Domain Admins group in Active Directory Users and Computers? Please report back with your findings, I hope we can solve this problem for you. Please excuse me I’m not an expert in Windows Server but I’m trying to learn.

              • #50783

                Thanks again for the help!

                FYI Wildcat is the offending 2K8 R2 computer, not the domain name…

                I have a linked GPO, so I made sure the change was in there. It shows up under the domain name, and its link order is #1 above the default domain policy. I assume that is correct?

                The setting you told me about was not defined, I set it to the “Classic” setting.

                My user account is a Domain and Enterprise Admin in Active Directory, as well as an Admin on the offending computer local account.

                I then logged off and logged back on, and the same attempt to logon as Guest occurs.

                Thanks again for helping me look at this!

              • #60602
                Anonymous

                  Thanks again for the help!

                  FYI Wildcat is the offending 2K8 R2 computer, not the domain name…

                  I have a linked GPO, so I made sure the change was in there. It shows up under the domain name, and its link order is #1 above the default domain policy. I assume that is correct?

                  The setting you told me about was not defined, I set it to the “Classic” setting.

                  My user account is a Domain and Enterprise Admin in Active Directory, as well as an Admin on the offending computer local account.

                  I then logged off and logged back on, and the same attempt to logon as Guest occurs.

                  Thanks again for helping me look at this!

                • #50782

                  Ok bear with me here lol

                  You are a domain administrator so you should be able to add/remove roles, create new users/groups, OUs in AD, modify GPOs. Answer these questions for me so I can get a better idea of what you can and cannot do.

                  1. Go to C:Windows. Right-click on folder hit properties. Click on Security tab.

                  List all the accounts you see under Group or user names.

                  Now click Advanced button at bottom. Then Owner. Who is the current owner of the Windows folder?

                  2. Navigate to C:Windowsexplorer.exe. Repeat the same process and tell me who is listed under group or user names and who is current owner.

                  3. Navigate to c:windowssystem32printui.exe. Repeat same process.

                  Your results should look something like this:

                  1 – C:WINDOWS

                  CREATOR OWNER
                  SYSTEM
                  Administrators (SEALY1986/Administrators)
                  Users (SEALY1986Users)
                  TrustedInstaller

                  Current owner: TrustedInstaller

                  2 – C:WindowsExplorer.exe

                  SYSTEM
                  Administrators (SEALY1986Administrators)
                  Users (SEALY1986Users)
                  TrustedInstaller

                  Current owner: TrustedInstaller

                  3 – C:Windowssystem32printui.exe

                  SYSTEM
                  Administrators (SEALY1986Administrators)
                  Users (SEALY1986Users)
                  TrustedInstaller

                  Current owner: TrustedInstaller

                  These are the results of my ACL on my domain controller. I have a HP printer installed and connected via USB to my domain controller computer. I have printer sharing enabled through active directory and I have a laptop with server 2008 r2 as a workstation connected to my domain with domain administrator account and I can navigate through windows explorer and connect to printer without guest. If your list matches mine then atleast we can safely say it is not an access control problem or even a permissions issue.

                  The next step I would suggest would be to check the universal group membership caching setting in Active Directory Sites and Services. Navigate to Sites > Default-First-Site-Name (OR a name you put in yourself) Right-click on NTDS Site Settings and choose properties. By default it should be unchecked.

                  If this doesn’t work I would suggest you demote your developer workstation back to a WORKGROUP again. Disconnect it from your domain so the only policy affecting the system is the local policy. We might be able to determine if this is a domain-wide or localized problem. You can always join back to the domain if the problem still persists. Hope one of these solutions fixes it cause im running out of ideas lol

                • #60601
                  Anonymous

                    Ok bear with me here lol

                    You are a domain administrator so you should be able to add/remove roles, create new users/groups, OUs in AD, modify GPOs. Answer these questions for me so I can get a better idea of what you can and cannot do.

                    1. Go to C:Windows. Right-click on folder hit properties. Click on Security tab.

                    List all the accounts you see under Group or user names.

                    Now click Advanced button at bottom. Then Owner. Who is the current owner of the Windows folder?

                    2. Navigate to C:Windowsexplorer.exe. Repeat the same process and tell me who is listed under group or user names and who is current owner.

                    3. Navigate to c:windowssystem32printui.exe. Repeat same process.

                    Your results should look something like this:

                    1 – C:WINDOWS

                    CREATOR OWNER
                    SYSTEM
                    Administrators (SEALY1986/Administrators)
                    Users (SEALY1986Users)
                    TrustedInstaller

                    Current owner: TrustedInstaller

                    2 – C:WindowsExplorer.exe

                    SYSTEM
                    Administrators (SEALY1986Administrators)
                    Users (SEALY1986Users)
                    TrustedInstaller

                    Current owner: TrustedInstaller

                    3 – C:Windowssystem32printui.exe

                    SYSTEM
                    Administrators (SEALY1986Administrators)
                    Users (SEALY1986Users)
                    TrustedInstaller

                    Current owner: TrustedInstaller

                    These are the results of my ACL on my domain controller. I have a HP printer installed and connected via USB to my domain controller computer. I have printer sharing enabled through active directory and I have a laptop with server 2008 r2 as a workstation connected to my domain with domain administrator account and I can navigate through windows explorer and connect to printer without guest. If your list matches mine then atleast we can safely say it is not an access control problem or even a permissions issue.

                    The next step I would suggest would be to check the universal group membership caching setting in Active Directory Sites and Services. Navigate to Sites > Default-First-Site-Name (OR a name you put in yourself) Right-click on NTDS Site Settings and choose properties. By default it should be unchecked.

                    If this doesn’t work I would suggest you demote your developer workstation back to a WORKGROUP again. Disconnect it from your domain so the only policy affecting the system is the local policy. We might be able to determine if this is a domain-wide or localized problem. You can always join back to the domain if the problem still persists. Hope one of these solutions fixes it cause im running out of ideas lol

                  • #50789

                    Thanks for the suggestions! Here is what I found:

                    The accounts under c:WINDOWS, explorer.exe and printui.exe all look the same as yours except my domain name in lieu of SEALY1986. Where does it say who the current owner is? I did not see that, but I suspect it’s ok (I’d be happy to check it again though).

                    Now – I took the offending Win2K8 R2 box out of the domain, put it in WORKGROUP (should be only PC in that group). Just as a lark, I tested, and I get the same logon audit failure on Guest in explorer.exe! So it has nothing to do with domain/domain settings.

                    Does that generate any ideas? I’ll keep looking too.

                  • #60608
                    Anonymous

                      Thanks for the suggestions! Here is what I found:

                      The accounts under c:WINDOWS, explorer.exe and printui.exe all look the same as yours except my domain name in lieu of SEALY1986. Where does it say who the current owner is? I did not see that, but I suspect it’s ok (I’d be happy to check it again though).

                      Now – I took the offending Win2K8 R2 box out of the domain, put it in WORKGROUP (should be only PC in that group). Just as a lark, I tested, and I get the same logon audit failure on Guest in explorer.exe! So it has nothing to do with domain/domain settings.

                      Does that generate any ideas? I’ll keep looking too.

                    • #50790
                      hsorl78y5hosuyhdg
                      Participant

                        @awalt wrote:

                        Where does it say who the current owner is? I did not see that, but I suspect it’s ok (I’d be happy to check it again though).

                        In the Security tab, click on Advanced (it’s near the bottom). In the new dialog that opens, click on the Owner tab. You’ll find the current owner there.

                      • #60609
                        Anonymous

                          @awalt wrote:

                          Where does it say who the current owner is? I did not see that, but I suspect it’s ok (I’d be happy to check it again though).

                          In the Security tab, click on Advanced (it’s near the bottom). In the new dialog that opens, click on the Owner tab. You’ll find the current owner there.

                        • #50791

                          Try this:

                          Reboot the offending computer and press F8 repeatedly to open Advanced Boot Options. Choose “Safe Mode with Networking”. Login with the Built-in Administrator account (not your user created one). Click on Devices and Printers, right-click Printers choose Properties. Click on the Sharing tab. IF you are allowed to continue, change the sharing permissions and give full control to the Administrators group ONLY. If you see “Everyone” remove it. Same thing for Guest, etc etc.

                          Now while still in safe mode go to Control Panel > User Accounts > Manage another Account

                          Create a new administrator account called “tempadmin”.

                          Now log back off and reboot as normal. First login with the offending administrator account like you always do and try to access printer sharing. Do you still receive the same printui.exe error? If this doesn’t work logoff and login with your newly created tempadmin account. Now try to do the same thing. Report back with your results.

                        • #60610
                          Anonymous

                            Try this:

                            Reboot the offending computer and press F8 repeatedly to open Advanced Boot Options. Choose “Safe Mode with Networking”. Login with the Built-in Administrator account (not your user created one). Click on Devices and Printers, right-click Printers choose Properties. Click on the Sharing tab. IF you are allowed to continue, change the sharing permissions and give full control to the Administrators group ONLY. If you see “Everyone” remove it. Same thing for Guest, etc etc.

                            Now while still in safe mode go to Control Panel > User Accounts > Manage another Account

                            Create a new administrator account called “tempadmin”.

                            Now log back off and reboot as normal. First login with the offending administrator account like you always do and try to access printer sharing. Do you still receive the same printui.exe error? If this doesn’t work logoff and login with your newly created tempadmin account. Now try to do the same thing. Report back with your results.

                          • #50792

                            I rejoined the domain to get some work done. Should I be in the domain or still in the workgroup?

                          • #60611
                            Anonymous

                              I rejoined the domain to get some work done. Should I be in the domain or still in the workgroup?

                            • #50793

                              @awalt wrote:

                              I rejoined the domain to get some work done. Should I be in the domain or still in the workgroup?

                              It shouldn’t matter now that we have established this isn’t a domain-wide issue its something effecting your local computer, so it doesnt matter if you are joined to a domain or not. Are you able to use the Run As command as a workaround or does it force you to always use guest?

                              BTW: I am moderating this forum, particularly yours so we can help resolve this annoyance. So please don’t hesitate to respond back quickly.

                            • #60612
                              Anonymous

                                @awalt wrote:

                                I rejoined the domain to get some work done. Should I be in the domain or still in the workgroup?

                                It shouldn’t matter now that we have established this isn’t a domain-wide issue its something effecting your local computer, so it doesnt matter if you are joined to a domain or not. Are you able to use the Run As command as a workaround or does it force you to always use guest?

                                BTW: I am moderating this forum, particularly yours so we can help resolve this annoyance. So please don’t hesitate to respond back quickly.

                              • #50794

                                When I boot into safe with networking and bring up Devices and Printers (note this computer is part of the domain again, but I logged in as the local Built In Administrator), there is only a devices section, no printers section. The printer is there, but it has a little yellow triangle with an exclamation box, and hovering over it says troubleshooting necessary. Must have to do with safe mode. Right clicking on it/Properties did not give me a security tab, it had a General Tab and a Hardware tab, that one had a list of all system devices. I couldn’t see anywhere to get the Permissions info on this page or in Devices and Printers.

                                I created the local account TempAdmin as an administrator. I logged in, cleared the event log, and brought up Windows explorer. I just clicked around some folders, and refreshed Event Log. I had 8 audit failures, login failures, the subject user name was TempAdmin, the target user name was Guest!

                              • #60613
                                Anonymous

                                  When I boot into safe with networking and bring up Devices and Printers (note this computer is part of the domain again, but I logged in as the local Built In Administrator), there is only a devices section, no printers section. The printer is there, but it has a little yellow triangle with an exclamation box, and hovering over it says troubleshooting necessary. Must have to do with safe mode. Right clicking on it/Properties did not give me a security tab, it had a General Tab and a Hardware tab, that one had a list of all system devices. I couldn’t see anywhere to get the Permissions info on this page or in Devices and Printers.

                                  I created the local account TempAdmin as an administrator. I logged in, cleared the event log, and brought up Windows explorer. I just clicked around some folders, and refreshed Event Log. I had 8 audit failures, login failures, the subject user name was TempAdmin, the target user name was Guest!

                                • #50795

                                  It almost feels like it is some sort of simple file sharing, but that doesn’t exist in Win Server 2K8.

                                • #60614
                                  Anonymous

                                    It almost feels like it is some sort of simple file sharing, but that doesn’t exist in Win Server 2K8.

                                  • #50796

                                    Well I turned off file and printer sharing, and Public folder sharing, and the error continues. It’s not that…

                                  • #60615
                                    Anonymous

                                      Well I turned off file and printer sharing, and Public folder sharing, and the error continues. It’s not that…

                                    • #50797

                                      Yeah simple file sharing just treats remote users with the same “standard” permissions. Your problem is the local account on the physical computer itself cannot use its own credentials.

                                      Are you getting an audit failure with event ID 4625?

                                    • #60616
                                      Anonymous

                                        Yeah simple file sharing just treats remote users with the same “standard” permissions. Your problem is the local account on the physical computer itself cannot use its own credentials.

                                        Are you getting an audit failure with event ID 4625?

                                      • #50798

                                        Yes, 4625. Here is a sample of a latest one (domain name and account name changed to protect the innocent):

                                        An account failed to log on.

                                        Subject:
                                        Security ID: DomainNameDOM
                                        Account Name: DOM
                                        Account Domain: DomainName
                                        Logon ID: 0x291404

                                        Logon Type: 3

                                        Account For Which Logon Failed:
                                        Security ID: NULL SID
                                        Account Name: Guest
                                        Account Domain: WILDCAT

                                        Failure Information:
                                        Failure Reason: Account currently disabled.
                                        Status: 0xc000006e
                                        Sub Status: 0xc0000072

                                        Process Information:
                                        Caller Process ID: 0xe08
                                        Caller Process Name: C:Windowsexplorer.exe

                                        Network Information:
                                        Workstation Name: WILDCAT
                                        Source Network Address: –
                                        Source Port: –

                                        Detailed Authentication Information:
                                        Logon Process: Advapi
                                        Authentication Package: Negotiate
                                        Transited Services: –
                                        Package Name (NTLM only): –
                                        Key Length: 0

                                      • #60617
                                        Anonymous

                                          Yes, 4625. Here is a sample of a latest one (domain name and account name changed to protect the innocent):

                                          An account failed to log on.

                                          Subject:
                                          Security ID: DomainNameDOM
                                          Account Name: DOM
                                          Account Domain: DomainName
                                          Logon ID: 0x291404

                                          Logon Type: 3

                                          Account For Which Logon Failed:
                                          Security ID: NULL SID
                                          Account Name: Guest
                                          Account Domain: WILDCAT

                                          Failure Information:
                                          Failure Reason: Account currently disabled.
                                          Status: 0xc000006e
                                          Sub Status: 0xc0000072

                                          Process Information:
                                          Caller Process ID: 0xe08
                                          Caller Process Name: C:Windowsexplorer.exe

                                          Network Information:
                                          Workstation Name: WILDCAT
                                          Source Network Address: –
                                          Source Port: –

                                          Detailed Authentication Information:
                                          Logon Process: Advapi
                                          Authentication Package: Negotiate
                                          Transited Services: –
                                          Package Name (NTLM only): –
                                          Key Length: 0

                                        • #50799

                                          I set up a little experiment. I opened up the Event Log to the Audit page which generates success/failures. Next I created a network share called “temp”, located at \STEVENTemp. Next I went to my laptop and typed in \STEVENTemp. When it asked me for credentials I put in Guest which obviously is disabled. The laptop waited for about 5 seconds and then displayed a “account is disabled” logon failure message. I refreshed the event log and I noticed that it generated about 15 audit failures all linking to the guest account. I believe what is happening is the remote computer is trying to contact the server (ACK) for a certain amount of time until it timeouts with the failed message. During its time of trying to contact the server this is why I see the consecutive audit failure messages.

                                          Somebody or maybe yourself is trying to access a particular network resource which is set to use only anonymous access (which includes guest) and thus why you are probably receiving this audit failure.

                                        • #60618
                                          Anonymous

                                            I set up a little experiment. I opened up the Event Log to the Audit page which generates success/failures. Next I created a network share called “temp”, located at \STEVENTemp. Next I went to my laptop and typed in \STEVENTemp. When it asked me for credentials I put in Guest which obviously is disabled. The laptop waited for about 5 seconds and then displayed a “account is disabled” logon failure message. I refreshed the event log and I noticed that it generated about 15 audit failures all linking to the guest account. I believe what is happening is the remote computer is trying to contact the server (ACK) for a certain amount of time until it timeouts with the failed message. During its time of trying to contact the server this is why I see the consecutive audit failure messages.

                                            Somebody or maybe yourself is trying to access a particular network resource which is set to use only anonymous access (which includes guest) and thus why you are probably receiving this audit failure.

                                          • #50800

                                            I believe I found the reason why you are getting those audit failures.

                                            Open up command prompt and type in the following:

                                            net user guest /active:NO

                                            Now go to Network and Sharing Center. Click “Change Advanced Sharing Settings”

                                            Turn On Network Discovery
                                            Turn On File and Print Sharing
                                            Turn Off Password-protected sharing

                                            Save changes.

                                            Now go to a different computer and type in the sharename of your offending computer.

                                            For example \OFFENDING-PC

                                            When it asks you for credentials just

                                            After you have connected to network share close out. Notice what happens? The guest account is a Built-in system account by the operating system and by telling the machine to turn off password protected sharing you’ve told it to use anonymous access, which is why it is trying to use Guest to logon. By disabling the account you are receiving those event id 4625 audit failure errors as a result. The machine will try turn on the guest account to allow anonymous access. I had my guest account disabled and when I turned off password protected sharing it magically turned itself on. I believe this is why. I wouldn’t really put so much stress over audit failures/successes your machine will probably generate 2,000 or more of them in a couple days, why stress yourself after looking at everyone. You should really only be monitoring this if someone else has trouble contacting a network resource using an account that is supposed to be able to connect. FYI – Relax lol

                                          • #60619
                                            Anonymous

                                              I believe I found the reason why you are getting those audit failures.

                                              Open up command prompt and type in the following:

                                              net user guest /active:NO

                                              Now go to Network and Sharing Center. Click “Change Advanced Sharing Settings”

                                              Turn On Network Discovery
                                              Turn On File and Print Sharing
                                              Turn Off Password-protected sharing

                                              Save changes.

                                              Now go to a different computer and type in the sharename of your offending computer.

                                              For example \OFFENDING-PC

                                              When it asks you for credentials just

                                              After you have connected to network share close out. Notice what happens? The guest account is a Built-in system account by the operating system and by telling the machine to turn off password protected sharing you’ve told it to use anonymous access, which is why it is trying to use Guest to logon. By disabling the account you are receiving those event id 4625 audit failure errors as a result. The machine will try turn on the guest account to allow anonymous access. I had my guest account disabled and when I turned off password protected sharing it magically turned itself on. I believe this is why. I wouldn’t really put so much stress over audit failures/successes your machine will probably generate 2,000 or more of them in a couple days, why stress yourself after looking at everyone. You should really only be monitoring this if someone else has trouble contacting a network resource using an account that is supposed to be able to connect. FYI – Relax lol

                                            • #50801

                                              I did the net user guest /active:NO

                                              However,
                                              Turn On Network Discovery — was already On
                                              Turn On File and Print Sharing — was already on
                                              Turn Off Password-protected sharing – doesn’t exist for me on that screen! Article “Enable or disable sharing and discovery” on technet.microsoft.com says it’s for non-domain use only. It also says “To grant access to a shared folder on this computer on another computer, you must create a user name and password on this computer and supply them to the other user…”

                                            • #60620
                                              Anonymous

                                                I did the net user guest /active:NO

                                                However,
                                                Turn On Network Discovery — was already On
                                                Turn On File and Print Sharing — was already on
                                                Turn Off Password-protected sharing – doesn’t exist for me on that screen! Article “Enable or disable sharing and discovery” on technet.microsoft.com says it’s for non-domain use only. It also says “To grant access to a shared folder on this computer on another computer, you must create a user name and password on this computer and supply them to the other user…”

                                              • #50802

                                                Leaving domain to try this, maybe something is messed up on the local part. Stay tuned..

                                              • #60621
                                                Anonymous

                                                  Leaving domain to try this, maybe something is messed up on the local part. Stay tuned..

                                                • #50803

                                                  FIXED IT!!!

                                                  Here is what I did – I removed the computer from the domain. I then went in and did what you said, especially turning off Password-protected sharing. Went back and joined the domain, and even though that entry never shows anywhere, the logon failure is gone! This actually sounds like a big to me, it must be turned on by default and even though it’s WinSrv 2008 in a domain somebody is looking at that value.

                                                  I have been trying for 10 minutes to make it happen and I can’t.

                                                  Thanks SO MUCH for your help, I’ll update if anything changes in the next few days.

                                                • #60622
                                                  Anonymous

                                                    FIXED IT!!!

                                                    Here is what I did – I removed the computer from the domain. I then went in and did what you said, especially turning off Password-protected sharing. Went back and joined the domain, and even though that entry never shows anywhere, the logon failure is gone! This actually sounds like a big to me, it must be turned on by default and even though it’s WinSrv 2008 in a domain somebody is looking at that value.

                                                    I have been trying for 10 minutes to make it happen and I can’t.

                                                    Thanks SO MUCH for your help, I’ll update if anything changes in the next few days.

                                                  • #50804

                                                    Glad I could be of assistance.

                                                  • #60623
                                                    Anonymous

                                                      Glad I could be of assistance.

                                                  Viewing 46 reply threads
                                                  • You must be logged in to reply to this topic.