I'm still chasing 4625 failed logons (Type 3) as in:
and, more recently, as in:
We are seeing Event 4625 failed logon type 3 reports:
Reported Username is Guest
on a computer where the Guest account is inactivated.
Event reports: "Remote Device" is the workstation computername itself - not another one.
Event reports: "Domain" is the same workstation computername - not another one and not the domain that the workstation is joined.
So, yes, attempts to logon with Guest should fail because Guest is inactivated.
But why would a workstation be having logon attempts unto itself when I think if Guest as being a Network logon attempt.
And, yes, these are "network logons" (Type 3, right?).
So why are they coming from within the workstation?
In this case, it happened on Friday starting around time for people to come to work at 8:30 and it persisted until 11:50. There were over 400 events, some of which occurred within the same second - spaced variably with gaps up to an hour.
This is happening on a few workstations, although not to this degree.
In this case, it's not an "old credential".and yet the results are very similar to the earlier question's situation.
I still haven't found the smoking gun. It occurs to me that a "network" logon attempt by what is identified as Guest may be coming from a loopback or .... ? That is, it *appears* to be coming from the network and the attempt isn't being identified but, rather, translated to Guest. But I'm way out of my depth in taking this idea any further.