› Forums › Operating Systems › Windows Server 2008 R2 › Miscellaneous › Why is Guest account being used by Win Srv 2008 R2?
- This topic has 46 replies, 6 voices, and was last updated 14 years, 8 months ago by Anonymous.
- AuthorPosts
-
- 3rd May 2010 at 14:04 #44048
Hi all, I am using Win 2K8 R2 as a development workstation.
I have been tracking down a security audit logon failure on a particular instance of Windows Server 2008 R2.
One this one machine only, if I open Devices and Printers, right click on any of the Printers, click Printer Properties, then click the Sharing tab, I get a logon audit failure – printui.exe is trying to logon as Guest. Guest account is disabled which is why the audit failure occurs.
Also, if I bring up Windows Explorer and click around in folders, I will get a logon security audit failure as well on the Guest account.I tied a task (popup window) to the logon failure event so I could immediately see it happen, and I also temporarily enabled the Guest account and verified the successful logon events were also recorded in these 2 cases.
I have used SysInternals tools to try and track – if I enable GUEST the logons do not appear in LogonSessions, maybe they occur and complete too fast. I see no shares using GUEST in ShareEnum.
Why is this happening, why does Devices and printers and Windows Explorer try to logon as Guest? BTW, this happens even if I am logged in as a Domain Admin.
(BTW – system is AV/spyware free, I run HijackThis, spybot, and at least one other; system is also fully updated).
As a follow up, I have another Win2K8 R2 box that acts as DC, where this does not happen – it does not use Guest to logon, so it gets no audit failures or audit successes for logging on. As far as I know the systems should be configured pretty much the same other than one being a DC and the other (offending) box just being a non-DC server. I have checked the Local Policy Settings extensively to see if something is different and I don’t see anything.
So why does this one box insist on logging in as Guest for Windows Explorer and Devices and Printers/Sharing?
Here is the event log–
==========
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/1/2010 7:07:53 AM
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: WILDCAT.xxxxxxxxxxxxxxxxxxx
Description:
An account was successfully logged on.Subject:
Security ID: xxxxxxxyyyyy
Account Name: yyyyy
Account Domain: xxxxxxx
Logon ID: 0xdc92eLogon Type: 3
New Logon:
Security ID: WILDCATGuest
Account Name: Guest
Account Domain: WILDCAT
Logon ID: 0x229dbd6
Logon GUID: {00000000-0000-0000-0000-000000000000}Process Information:
Process ID: 0x1420
Process Name: C:WindowsSystem32printui.exeNetwork Information:
Workstation Name: WILDCAT
Source Network Address: –
Source Port: –Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: –
Package Name (NTLM only): –
Key Length: 0This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
– Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
– Transited services indicate which intermediate services have participated in this logon request.
– Package name indicates which sub-protocol was used among the NTLM protocols.
– Key length indicates the length of the generated session key. This will be 0 if no session key was requested. - 3rd May 2010 at 20:54 #50784
Open up the local security policy of your machine and navigate to
Local Policies > Security Options > Network Access: Sharing and security model for local accounts
If the setting is set to guest only then the network logon will automatically mapped to Guest account. Check out this setting and see if it is the culprit. It might be.
- 3rd May 2010 at 20:54 #60603Anonymous
Open up the local security policy of your machine and navigate to
Local Policies > Security Options > Network Access: Sharing and security model for local accounts
If the setting is set to guest only then the network logon will automatically mapped to Guest account. Check out this setting and see if it is the culprit. It might be.
- 3rd May 2010 at 22:18 #50785
Thanks for the reply! I checked it, it’s set to “Classic – local users authenticate as themselves”.
If you have any other ideas or hunches please let me know, as I am out of ideas. Thanks for your time!
- 3rd May 2010 at 22:18 #60604Anonymous
Thanks for the reply! I checked it, it’s set to “Classic – local users authenticate as themselves”.
If you have any other ideas or hunches please let me know, as I am out of ideas. Thanks for your time!
- 4th May 2010 at 00:59 #50786
@awalt wrote:
Thanks for the reply! I checked it, it’s set to “Classic – local users authenticate as themselves”.
If you have any other ideas or hunches please let me know, as I am out of ideas. Thanks for your time!
Are you joined to a domain? Your logon type is set to 3 which is network logon which leads me to believe you are joined to a domain, check your domain security policy and see if its set to “guest only”.
- 4th May 2010 at 00:59 #60605Anonymous
@awalt wrote:
Thanks for the reply! I checked it, it’s set to “Classic – local users authenticate as themselves”.
If you have any other ideas or hunches please let me know, as I am out of ideas. Thanks for your time!
Are you joined to a domain? Your logon type is set to 3 which is network logon which leads me to believe you are joined to a domain, check your domain security policy and see if its set to “guest only”.
- 4th May 2010 at 01:24 #50787
Thanks for your help? How do I change/examine this on the Domain Controller? This has changed a lot since I last looked at it on the DC side…
PS yes I am on a domain…
- 4th May 2010 at 01:24 #60606Anonymous
Thanks for your help? How do I change/examine this on the Domain Controller? This has changed a lot since I last looked at it on the DC side…
PS yes I am on a domain…
- 4th May 2010 at 03:09 #50788
On your domain controller…
Start > Administrative Tools > Group Policy ManagementExpand Forest, then Domains. Click on your domain – wildcat I assume?
Do you have any linked GPOs? Or just “default domain policy”
Right-click on default domain policy and click edit.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Sharing and security model for local accounts
Check the condition of this setting tell me if it is defined or not, if it is not defined then the default is “Classic”.
Also, is your user account a member of the Domain Admins group in Active Directory Users and Computers? Please report back with your findings, I hope we can solve this problem for you. Please excuse me I’m not an expert in Windows Server but I’m trying to learn.
- 4th May 2010 at 03:09 #60607Anonymous
On your domain controller…
Start > Administrative Tools > Group Policy ManagementExpand Forest, then Domains. Click on your domain – wildcat I assume?
Do you have any linked GPOs? Or just “default domain policy”
Right-click on default domain policy and click edit.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Sharing and security model for local accounts
Check the condition of this setting tell me if it is defined or not, if it is not defined then the default is “Classic”.
Also, is your user account a member of the Domain Admins group in Active Directory Users and Computers? Please report back with your findings, I hope we can solve this problem for you. Please excuse me I’m not an expert in Windows Server but I’m trying to learn.
- 4th May 2010 at 10:33 #50783
Thanks again for the help!
FYI Wildcat is the offending 2K8 R2 computer, not the domain name…
I have a linked GPO, so I made sure the change was in there. It shows up under the domain name, and its link order is #1 above the default domain policy. I assume that is correct?
The setting you told me about was not defined, I set it to the “Classic” setting.
My user account is a Domain and Enterprise Admin in Active Directory, as well as an Admin on the offending computer local account.
I then logged off and logged back on, and the same attempt to logon as Guest occurs.
Thanks again for helping me look at this!
- 4th May 2010 at 10:33 #60602Anonymous
Thanks again for the help!
FYI Wildcat is the offending 2K8 R2 computer, not the domain name…
I have a linked GPO, so I made sure the change was in there. It shows up under the domain name, and its link order is #1 above the default domain policy. I assume that is correct?
The setting you told me about was not defined, I set it to the “Classic” setting.
My user account is a Domain and Enterprise Admin in Active Directory, as well as an Admin on the offending computer local account.
I then logged off and logged back on, and the same attempt to logon as Guest occurs.
Thanks again for helping me look at this!
- 4th May 2010 at 21:13 #50782
Ok bear with me here lol
You are a domain administrator so you should be able to add/remove roles, create new users/groups, OUs in AD, modify GPOs. Answer these questions for me so I can get a better idea of what you can and cannot do.
1. Go to C:Windows. Right-click on folder hit properties. Click on Security tab.
List all the accounts you see under Group or user names.
Now click Advanced button at bottom. Then Owner. Who is the current owner of the Windows folder?
2. Navigate to C:Windowsexplorer.exe. Repeat the same process and tell me who is listed under group or user names and who is current owner.
3. Navigate to c:windowssystem32printui.exe. Repeat same process.
Your results should look something like this:
1 – C:WINDOWS
CREATOR OWNER
SYSTEM
Administrators (SEALY1986/Administrators)
Users (SEALY1986Users)
TrustedInstallerCurrent owner: TrustedInstaller
2 – C:WindowsExplorer.exe
SYSTEM
Administrators (SEALY1986Administrators)
Users (SEALY1986Users)
TrustedInstallerCurrent owner: TrustedInstaller
3 – C:Windowssystem32printui.exe
SYSTEM
Administrators (SEALY1986Administrators)
Users (SEALY1986Users)
TrustedInstallerCurrent owner: TrustedInstaller
These are the results of my ACL on my domain controller. I have a HP printer installed and connected via USB to my domain controller computer. I have printer sharing enabled through active directory and I have a laptop with server 2008 r2 as a workstation connected to my domain with domain administrator account and I can navigate through windows explorer and connect to printer without guest. If your list matches mine then atleast we can safely say it is not an access control problem or even a permissions issue.
The next step I would suggest would be to check the universal group membership caching setting in Active Directory Sites and Services. Navigate to Sites > Default-First-Site-Name (OR a name you put in yourself) Right-click on NTDS Site Settings and choose properties. By default it should be unchecked.
If this doesn’t work I would suggest you demote your developer workstation back to a WORKGROUP again. Disconnect it from your domain so the only policy affecting the system is the local policy. We might be able to determine if this is a domain-wide or localized problem. You can always join back to the domain if the problem still persists. Hope one of these solutions fixes it cause im running out of ideas lol
- 4th May 2010 at 21:13 #60601Anonymous
Ok bear with me here lol
You are a domain administrator so you should be able to add/remove roles, create new users/groups, OUs in AD, modify GPOs. Answer these questions for me so I can get a better idea of what you can and cannot do.
1. Go to C:Windows. Right-click on folder hit properties. Click on Security tab.
List all the accounts you see under Group or user names.
Now click Advanced button at bottom. Then Owner. Who is the current owner of the Windows folder?
2. Navigate to C:Windowsexplorer.exe. Repeat the same process and tell me who is listed under group or user names and who is current owner.
3. Navigate to c:windowssystem32printui.exe. Repeat same process.
Your results should look something like this:
1 – C:WINDOWS
CREATOR OWNER
SYSTEM
Administrators (SEALY1986/Administrators)
Users (SEALY1986Users)
TrustedInstallerCurrent owner: TrustedInstaller
2 – C:WindowsExplorer.exe
SYSTEM
Administrators (SEALY1986Administrators)
Users (SEALY1986Users)
TrustedInstallerCurrent owner: TrustedInstaller
3 – C:Windowssystem32printui.exe
SYSTEM
Administrators (SEALY1986Administrators)
Users (SEALY1986Users)
TrustedInstallerCurrent owner: TrustedInstaller
These are the results of my ACL on my domain controller. I have a HP printer installed and connected via USB to my domain controller computer. I have printer sharing enabled through active directory and I have a laptop with server 2008 r2 as a workstation connected to my domain with domain administrator account and I can navigate through windows explorer and connect to printer without guest. If your list matches mine then atleast we can safely say it is not an access control problem or even a permissions issue.
The next step I would suggest would be to check the universal group membership caching setting in Active Directory Sites and Services. Navigate to Sites > Default-First-Site-Name (OR a name you put in yourself) Right-click on NTDS Site Settings and choose properties. By default it should be unchecked.
If this doesn’t work I would suggest you demote your developer workstation back to a WORKGROUP again. Disconnect it from your domain so the only policy affecting the system is the local policy. We might be able to determine if this is a domain-wide or localized problem. You can always join back to the domain if the problem still persists. Hope one of these solutions fixes it cause im running out of ideas lol
- 5th May 2010 at 15:01 #50789
Thanks for the suggestions! Here is what I found:
The accounts under c:WINDOWS, explorer.exe and printui.exe all look the same as yours except my domain name in lieu of SEALY1986. Where does it say who the current owner is? I did not see that, but I suspect it’s ok (I’d be happy to check it again though).
Now – I took the offending Win2K8 R2 box out of the domain, put it in WORKGROUP (should be only PC in that group). Just as a lark, I tested, and I get the same logon audit failure on Guest in explorer.exe! So it has nothing to do with domain/domain settings.
Does that generate any ideas? I’ll keep looking too.
- 5th May 2010 at 15:01 #60608Anonymous
Thanks for the suggestions! Here is what I found:
The accounts under c:WINDOWS, explorer.exe and printui.exe all look the same as yours except my domain name in lieu of SEALY1986. Where does it say who the current owner is? I did not see that, but I suspect it’s ok (I’d be happy to check it again though).
Now – I took the offending Win2K8 R2 box out of the domain, put it in WORKGROUP (should be only PC in that group). Just as a lark, I tested, and I get the same logon audit failure on Guest in explorer.exe! So it has nothing to do with domain/domain settings.
Does that generate any ideas? I’ll keep looking too.
- 5th May 2010 at 15:56 #50790
@awalt wrote:
Where does it say who the current owner is? I did not see that, but I suspect it’s ok (I’d be happy to check it again though).
In the Security tab, click on Advanced (it’s near the bottom). In the new dialog that opens, click on the Owner tab. You’ll find the current owner there.
- 5th May 2010 at 15:56 #60609Anonymous
@awalt wrote:
Where does it say who the current owner is? I did not see that, but I suspect it’s ok (I’d be happy to check it again though).
In the Security tab, click on Advanced (it’s near the bottom). In the new dialog that opens, click on the Owner tab. You’ll find the current owner there.
- 5th May 2010 at 17:32 #50791
Try this:
Reboot the offending computer and press F8 repeatedly to open Advanced Boot Options. Choose “Safe Mode with Networking”. Login with the Built-in Administrator account (not your user created one). Click on Devices and Printers, right-click Printers choose Properties. Click on the Sharing tab. IF you are allowed to continue, change the sharing permissions and give full control to the Administrators group ONLY. If you see “Everyone” remove it. Same thing for Guest, etc etc.
Now while still in safe mode go to Control Panel > User Accounts > Manage another Account
Create a new administrator account called “tempadmin”.
Now log back off and reboot as normal. First login with the offending administrator account like you always do and try to access printer sharing. Do you still receive the same printui.exe error? If this doesn’t work logoff and login with your newly created tempadmin account. Now try to do the same thing. Report back with your results.
- 5th May 2010 at 17:32 #60610Anonymous
Try this:
Reboot the offending computer and press F8 repeatedly to open Advanced Boot Options. Choose “Safe Mode with Networking”. Login with the Built-in Administrator account (not your user created one). Click on Devices and Printers, right-click Printers choose Properties. Click on the Sharing tab. IF you are allowed to continue, change the sharing permissions and give full control to the Administrators group ONLY. If you see “Everyone” remove it. Same thing for Guest, etc etc.
Now while still in safe mode go to Control Panel > User Accounts > Manage another Account
Create a new administrator account called “tempadmin”.
Now log back off and reboot as normal. First login with the offending administrator account like you always do and try to access printer sharing. Do you still receive the same printui.exe error? If this doesn’t work logoff and login with your newly created tempadmin account. Now try to do the same thing. Report back with your results.
- 5th May 2010 at 17:39 #50792
I rejoined the domain to get some work done. Should I be in the domain or still in the workgroup?
- 5th May 2010 at 17:39 #60611Anonymous
I rejoined the domain to get some work done. Should I be in the domain or still in the workgroup?
- 5th May 2010 at 18:02 #50793
@awalt wrote:
I rejoined the domain to get some work done. Should I be in the domain or still in the workgroup?
It shouldn’t matter now that we have established this isn’t a domain-wide issue its something effecting your local computer, so it doesnt matter if you are joined to a domain or not. Are you able to use the Run As command as a workaround or does it force you to always use guest?
BTW: I am moderating this forum, particularly yours so we can help resolve this annoyance. So please don’t hesitate to respond back quickly.
- 5th May 2010 at 18:02 #60612Anonymous
@awalt wrote:
I rejoined the domain to get some work done. Should I be in the domain or still in the workgroup?
It shouldn’t matter now that we have established this isn’t a domain-wide issue its something effecting your local computer, so it doesnt matter if you are joined to a domain or not. Are you able to use the Run As command as a workaround or does it force you to always use guest?
BTW: I am moderating this forum, particularly yours so we can help resolve this annoyance. So please don’t hesitate to respond back quickly.
- 5th May 2010 at 18:07 #50794
When I boot into safe with networking and bring up Devices and Printers (note this computer is part of the domain again, but I logged in as the local Built In Administrator), there is only a devices section, no printers section. The printer is there, but it has a little yellow triangle with an exclamation box, and hovering over it says troubleshooting necessary. Must have to do with safe mode. Right clicking on it/Properties did not give me a security tab, it had a General Tab and a Hardware tab, that one had a list of all system devices. I couldn’t see anywhere to get the Permissions info on this page or in Devices and Printers.
I created the local account TempAdmin as an administrator. I logged in, cleared the event log, and brought up Windows explorer. I just clicked around some folders, and refreshed Event Log. I had 8 audit failures, login failures, the subject user name was TempAdmin, the target user name was Guest!
- 5th May 2010 at 18:07 #60613Anonymous
When I boot into safe with networking and bring up Devices and Printers (note this computer is part of the domain again, but I logged in as the local Built In Administrator), there is only a devices section, no printers section. The printer is there, but it has a little yellow triangle with an exclamation box, and hovering over it says troubleshooting necessary. Must have to do with safe mode. Right clicking on it/Properties did not give me a security tab, it had a General Tab and a Hardware tab, that one had a list of all system devices. I couldn’t see anywhere to get the Permissions info on this page or in Devices and Printers.
I created the local account TempAdmin as an administrator. I logged in, cleared the event log, and brought up Windows explorer. I just clicked around some folders, and refreshed Event Log. I had 8 audit failures, login failures, the subject user name was TempAdmin, the target user name was Guest!
- 5th May 2010 at 18:10 #50795
It almost feels like it is some sort of simple file sharing, but that doesn’t exist in Win Server 2K8.
- 5th May 2010 at 18:10 #60614Anonymous
It almost feels like it is some sort of simple file sharing, but that doesn’t exist in Win Server 2K8.
- 5th May 2010 at 18:13 #50796
Well I turned off file and printer sharing, and Public folder sharing, and the error continues. It’s not that…
- 5th May 2010 at 18:13 #60615Anonymous
Well I turned off file and printer sharing, and Public folder sharing, and the error continues. It’s not that…
- 5th May 2010 at 18:47 #50797
Yeah simple file sharing just treats remote users with the same “standard” permissions. Your problem is the local account on the physical computer itself cannot use its own credentials.
Are you getting an audit failure with event ID 4625?
- 5th May 2010 at 18:47 #60616Anonymous
Yeah simple file sharing just treats remote users with the same “standard” permissions. Your problem is the local account on the physical computer itself cannot use its own credentials.
Are you getting an audit failure with event ID 4625?
- 5th May 2010 at 19:03 #50798
Yes, 4625. Here is a sample of a latest one (domain name and account name changed to protect the innocent):
An account failed to log on.
Subject:
Security ID: DomainNameDOM
Account Name: DOM
Account Domain: DomainName
Logon ID: 0x291404Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Guest
Account Domain: WILDCATFailure Information:
Failure Reason: Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072Process Information:
Caller Process ID: 0xe08
Caller Process Name: C:Windowsexplorer.exeNetwork Information:
Workstation Name: WILDCAT
Source Network Address: –
Source Port: –Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: –
Package Name (NTLM only): –
Key Length: 0 - 5th May 2010 at 19:03 #60617Anonymous
Yes, 4625. Here is a sample of a latest one (domain name and account name changed to protect the innocent):
An account failed to log on.
Subject:
Security ID: DomainNameDOM
Account Name: DOM
Account Domain: DomainName
Logon ID: 0x291404Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Guest
Account Domain: WILDCATFailure Information:
Failure Reason: Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072Process Information:
Caller Process ID: 0xe08
Caller Process Name: C:Windowsexplorer.exeNetwork Information:
Workstation Name: WILDCAT
Source Network Address: –
Source Port: –Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: –
Package Name (NTLM only): –
Key Length: 0 - 5th May 2010 at 19:11 #50799
I set up a little experiment. I opened up the Event Log to the Audit page which generates success/failures. Next I created a network share called “temp”, located at \STEVENTemp. Next I went to my laptop and typed in \STEVENTemp. When it asked me for credentials I put in Guest which obviously is disabled. The laptop waited for about 5 seconds and then displayed a “account is disabled” logon failure message. I refreshed the event log and I noticed that it generated about 15 audit failures all linking to the guest account. I believe what is happening is the remote computer is trying to contact the server (ACK) for a certain amount of time until it timeouts with the failed message. During its time of trying to contact the server this is why I see the consecutive audit failure messages.
Somebody or maybe yourself is trying to access a particular network resource which is set to use only anonymous access (which includes guest) and thus why you are probably receiving this audit failure.
- 5th May 2010 at 19:11 #60618Anonymous
I set up a little experiment. I opened up the Event Log to the Audit page which generates success/failures. Next I created a network share called “temp”, located at \STEVENTemp. Next I went to my laptop and typed in \STEVENTemp. When it asked me for credentials I put in Guest which obviously is disabled. The laptop waited for about 5 seconds and then displayed a “account is disabled” logon failure message. I refreshed the event log and I noticed that it generated about 15 audit failures all linking to the guest account. I believe what is happening is the remote computer is trying to contact the server (ACK) for a certain amount of time until it timeouts with the failed message. During its time of trying to contact the server this is why I see the consecutive audit failure messages.
Somebody or maybe yourself is trying to access a particular network resource which is set to use only anonymous access (which includes guest) and thus why you are probably receiving this audit failure.
- 5th May 2010 at 19:31 #50800
I believe I found the reason why you are getting those audit failures.
Open up command prompt and type in the following:
net user guest /active:NO
Now go to Network and Sharing Center. Click “Change Advanced Sharing Settings”
Turn On Network Discovery
Turn On File and Print Sharing
Turn Off Password-protected sharingSave changes.
Now go to a different computer and type in the sharename of your offending computer.
For example \OFFENDING-PC
When it asks you for credentials just
After you have connected to network share close out. Notice what happens? The guest account is a Built-in system account by the operating system and by telling the machine to turn off password protected sharing you’ve told it to use anonymous access, which is why it is trying to use Guest to logon. By disabling the account you are receiving those event id 4625 audit failure errors as a result. The machine will try turn on the guest account to allow anonymous access. I had my guest account disabled and when I turned off password protected sharing it magically turned itself on. I believe this is why. I wouldn’t really put so much stress over audit failures/successes your machine will probably generate 2,000 or more of them in a couple days, why stress yourself after looking at everyone. You should really only be monitoring this if someone else has trouble contacting a network resource using an account that is supposed to be able to connect. FYI – Relax lol
- 5th May 2010 at 19:31 #60619Anonymous
I believe I found the reason why you are getting those audit failures.
Open up command prompt and type in the following:
net user guest /active:NO
Now go to Network and Sharing Center. Click “Change Advanced Sharing Settings”
Turn On Network Discovery
Turn On File and Print Sharing
Turn Off Password-protected sharingSave changes.
Now go to a different computer and type in the sharename of your offending computer.
For example \OFFENDING-PC
When it asks you for credentials just
After you have connected to network share close out. Notice what happens? The guest account is a Built-in system account by the operating system and by telling the machine to turn off password protected sharing you’ve told it to use anonymous access, which is why it is trying to use Guest to logon. By disabling the account you are receiving those event id 4625 audit failure errors as a result. The machine will try turn on the guest account to allow anonymous access. I had my guest account disabled and when I turned off password protected sharing it magically turned itself on. I believe this is why. I wouldn’t really put so much stress over audit failures/successes your machine will probably generate 2,000 or more of them in a couple days, why stress yourself after looking at everyone. You should really only be monitoring this if someone else has trouble contacting a network resource using an account that is supposed to be able to connect. FYI – Relax lol
- 5th May 2010 at 19:44 #50801
I did the net user guest /active:NO
However,
Turn On Network Discovery — was already On
Turn On File and Print Sharing — was already on
Turn Off Password-protected sharing – doesn’t exist for me on that screen! Article “Enable or disable sharing and discovery” on technet.microsoft.com says it’s for non-domain use only. It also says “To grant access to a shared folder on this computer on another computer, you must create a user name and password on this computer and supply them to the other user…” - 5th May 2010 at 19:44 #60620Anonymous
I did the net user guest /active:NO
However,
Turn On Network Discovery — was already On
Turn On File and Print Sharing — was already on
Turn Off Password-protected sharing – doesn’t exist for me on that screen! Article “Enable or disable sharing and discovery” on technet.microsoft.com says it’s for non-domain use only. It also says “To grant access to a shared folder on this computer on another computer, you must create a user name and password on this computer and supply them to the other user…” - 5th May 2010 at 19:47 #50802
Leaving domain to try this, maybe something is messed up on the local part. Stay tuned..
- 5th May 2010 at 19:47 #60621Anonymous
Leaving domain to try this, maybe something is messed up on the local part. Stay tuned..
- 5th May 2010 at 20:08 #50803
FIXED IT!!!
Here is what I did – I removed the computer from the domain. I then went in and did what you said, especially turning off Password-protected sharing. Went back and joined the domain, and even though that entry never shows anywhere, the logon failure is gone! This actually sounds like a big to me, it must be turned on by default and even though it’s WinSrv 2008 in a domain somebody is looking at that value.
I have been trying for 10 minutes to make it happen and I can’t.
Thanks SO MUCH for your help, I’ll update if anything changes in the next few days.
- 5th May 2010 at 20:08 #60622Anonymous
FIXED IT!!!
Here is what I did – I removed the computer from the domain. I then went in and did what you said, especially turning off Password-protected sharing. Went back and joined the domain, and even though that entry never shows anywhere, the logon failure is gone! This actually sounds like a big to me, it must be turned on by default and even though it’s WinSrv 2008 in a domain somebody is looking at that value.
I have been trying for 10 minutes to make it happen and I can’t.
Thanks SO MUCH for your help, I’ll update if anything changes in the next few days.
- 5th May 2010 at 20:23 #50804
Glad I could be of assistance.
- 5th May 2010 at 20:23 #60623Anonymous
Glad I could be of assistance.
- AuthorPosts
- You must be logged in to reply to this topic.