Computer still contacting domain even though we removed it from domain
We had this computer on our domain but we are redeploying it as a Kiosk machine. The Kiosk's have no reason to be on our domain for security reasons. I've installed SiteKiosk v8 software on this Windows 7 64bit machine. Everything works great except when I log into the LOCAL user it appears as if the machine is still contacting our domain. We use EventSentry and I get the following message every time I log onto this kiosk box with a local user.
EVENT # 65036788
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Logon/Logoff
EVENT ID 529
USERNAME NT AUTHORITY\SYSTEM
COMPUTERNAME -our domain controller name-
DATE / TIME 3/16/2012 9:16:29 AM
MESSAGE Logon Failure:
Reason: Unknown user name or bad password
User Name: SiteKiosk
Domain: KIOSK2
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: KIOSK2
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.3.162
Source Port: 0
The thing is like I said, I removed this machine from the domain. I changed it to a kiosks WORKGROUP and renamed it at the same time. What on this machine is trying to contact the domain at logon?
EVENT # 65036788
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Logon/Logoff
EVENT ID 529
USERNAME NT AUTHORITY\SYSTEM
COMPUTERNAME -our domain controller name-
DATE / TIME 3/16/2012 9:16:29 AM
MESSAGE Logon Failure:
Reason: Unknown user name or bad password
User Name: SiteKiosk
Domain: KIOSK2
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: KIOSK2
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.3.162
Source Port: 0
The thing is like I said, I removed this machine from the domain. I changed it to a kiosks WORKGROUP and renamed it at the same time. What on this machine is trying to contact the domain at logon?
Could be a service, a mapped drive or anything else thats trying to reach a resource on your domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ah ok it looks like it was related to Desktop Authority Script Logic CBM Service (Computer Based Management).
We use Script Logic's Desktop Authority and I just uninstalled everything related to it. No more errors!
We use Script Logic's Desktop Authority and I just uninstalled everything related to it. No more errors!
@ITdiamond, great news! You can also check local Group Policy results to ensure all GPO settings are restored to default.