Windows Network logon (Type 3) failure internal to workstation by disabled "Guest" account.
I'm still chasing 4625 failed logons (Type 3) as in:
https://www.experts-exchange.com/questions/29168087/Type-3-logon-failures-4625-from-old-credentials.html
This is a slightly different instance of the reports I'm getting:
Reported Username is Guest on a computer where the Guest account is inactivated.
Reported "Remote Device" is the workstation itself - not another one.
Reported "Domain" is the same workstation name - not another one.
So, yes, attempts to logon with Guest should fail because Guest is inactivated.
But why would a workstation be having logon attempts unto itself when I think if Guest as being a Network logon attempt.
And, yes, these are "network logons" (Type 3, right?).
So why are they coming from within the workstation?
In this case, it happened on Friday starting around time for people to come to work at 8:30 and it persisted until 11:50. There were over 400 events, some of which occurred within the same second - spaced variably with gaps up to an hour.
This is happening on a few workstations, although not to this degree.
In this case, it's not an "old credential".and yet the results are very similar to the earlier question's situation.
I still haven't found the smoking gun.
https://www.experts-exchange.com/questions/29168087/Type-3-logon-failures-4625-from-old-credentials.html
This is a slightly different instance of the reports I'm getting:
Reported Username is Guest on a computer where the Guest account is inactivated.
Reported "Remote Device" is the workstation itself - not another one.
Reported "Domain" is the same workstation name - not another one.
So, yes, attempts to logon with Guest should fail because Guest is inactivated.
But why would a workstation be having logon attempts unto itself when I think if Guest as being a Network logon attempt.
And, yes, these are "network logons" (Type 3, right?).
So why are they coming from within the workstation?
In this case, it happened on Friday starting around time for people to come to work at 8:30 and it persisted until 11:50. There were over 400 events, some of which occurred within the same second - spaced variably with gaps up to an hour.
This is happening on a few workstations, although not to this degree.
In this case, it's not an "old credential".and yet the results are very similar to the earlier question's situation.
I still haven't found the smoking gun.
On the event log entry, have you checked the Failure Information Status and Sub Status code?
That may give more of a clue. You can check the codes here:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
That may give more of a clue. You can check the codes here:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
Kent W: Thanks for the suggestion! While it didn't lead me to a fix, it did lead my research to this:
https://social.technet.microsoft.com/Forums/en-US/b65f1e9a-d134-44ec-b972-62cb9505cd8c/constant-user-lockouts-due-to-advapi-lsassexe?forum=winserversecurity
Running PsExec and then keymgr, displayed the hidden credentials and allowed them to be removed.
https://social.technet.microsoft.com/Forums/en-US/b65f1e9a-d134-44ec-b972-62cb9505cd8c/constant-user-lockouts-due-to-advapi-lsassexe?forum=winserversecurity
Running PsExec and then keymgr, displayed the hidden credentials and allowed them to be removed.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial