Windows Server 2008 R2 -> Domain Machine but local Guest Account. Local Security Policy has Guest disbaled, GPO has Guest renamed but not defined on disabled/enabled.
I'll focus on one machine, but this has occurred on several other machines. I am seeing Logon Failures in Windows Event Logs associated with our Guest account. Drilling into these EventLogs, I've foudn that it is the Local Guest account, and the calling Process is Explorer.exe:
LogName=Security
SourceName=MicrosoftWindows
securityauditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=ANONASERVER.NCSGROUP.BNSF.com
TaskCategory=Logon
OpCode=Info
RecordNumber=397235473
Keywords=AuditFailure
Message=Anaccountfailedtologon.
Subject:
SecurityID: ANONASERVER\ANONAUSER
AccountName: ANONAUSER
AccountDomain:ANONASERVER
LogonID:0x16f84c6
LogonType:3
AccountForWhichLogonFailed:
SecurityID:NULLSID
AccountName: Guest
AccountDomain: ANONASERVER
FailureInformation:
FailureReason:Account
currentlydisabled.
Status:0xc000006e
SubStatus:0xc0000072
ProcessInformation:
CallerProcessID:0x1640
CallerProcessName:C:\Windows\explorer.exe
NetworkInformation:
WorkstationName:ANONASERVER
SourceNetworkAddress:
-
SourcePort:-
DetailedAuthenticationInformation:
LogonProcess:Advapi
AuthenticationPackage:Negotiate
TransitedServices:-
PackageName (NTLMonly):-
I've included the entire output. So I drilled into the machine, found the person who was the Security ID associated with the calling Process. Opened Procexp64.exe, found the PID, did a bring to front and it was as it says, Windows Explorer.exe. One that had been opened to "Pictures" under the users Documents. He said he hadn't navigated that Windows Explorer process yet (fellow Admin, he is accurate).
Either way, this doesn't seem to be that rare of an issue, but I am having trouble nailing down exactely what is occurring and more important how to put an end to it. GPO Info: Network access: Sharing and security model for local accounts: Classic
Accounts: Guest account status: Not Defined
Accounts: Rename guest account: Enabled and renamed
Thanks