Avatar of hypercube
Flag for United States of America asked on

Windows Network logon (Type 3) failure internal to workstation by disabled "Guest" account.

I'm still chasing 4625 failed logons (Type 3) as in:
and, more recently, as in:

We are seeing Event 4625 failed logon type 3 reports:
Reported Username is Guest on a computer where the Guest account is inactivated.
Event reports: "Remote Device" is the workstation computername itself - not another one.
Event reports: "Domain" is the same workstation computername - not another one and not the domain that the workstation is joined.

So, yes, attempts to logon with Guest should fail because Guest is inactivated.
But why would a workstation be having logon attempts unto itself when I think if Guest as being a Network logon attempt.
And, yes, these are "network logons" (Type 3, right?).
So why are they coming from within the workstation?

In this case, it happened on Friday starting around time for people to come to work at 8:30  and it persisted until 11:50.  There were over 400 events, some of which occurred within the same second - spaced variably with gaps up to an hour.

This is happening on a few workstations, although not to this degree.
In this case, it's not an "old credential".and yet the results are very similar to the earlier question's situation.

I still haven't found the smoking gun.  It occurs to me that a "network" logon attempt by what is identified as Guest may be coming from a loopback or .... ?  That is, it *appears* to be coming from the network and the attempt isn't being identified but, rather, translated to Guest.  But I'm way out of my depth in taking this idea any further.
Windows OSNetworking

Avatar of undefined
Last Comment
Steve Knight

8/22/2022 - Mon
Steve Knight

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Steve Knight

@65td - yes that covers the issue we found, was ages back I needed to did it but seemed to solve to problem on this recent machine too.  Not sure if that also causes same issue with, say, a shared printer to Everyone etc?

That's very interesting.  These computers were in a Workgroup that has been converted to a Domain.
So, having Everyone in shares was common in the past.
Are we talking here about Share permissions or Security permissions or both?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Steve Knight

Just NTFS permissions in our case, we have got shares with "Everyone" in elsewhere without the issue.

Steve Knight

Curious, did you find that there too and did it help?  We still have some other similar ones that are proving hard to track down - they don't matter too much when almost certainly coming from something that doesn't matter but then end up masking real attempts at login brute force etc.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.