Remove From My Forums

domain\Guest Account Being Locked out Via Non-Domain Joined Workstations

Question
0

Sign in to vote
Just recently over the past couple of weeks we have started to see random lockout reports from the Domain Controllers of the <domain name>\Guest account. Here are the 'facts':

The guest account is disabled and has been likely for a long, long time
ALL of the account lockout reports for the <domain name>\Guest account are coming from NON-DOMAIN JOINED workstations, none are from domain joined workstations
When they account is locked out, in essentially all instances the user has just done the following: Recently reimaged their test machine that is not domain joined and attempted to access the DFS root or a share on a server (for example \\corp.domainname.com\domainname or \\server5\share). After they try to access this path, the non-domain workstation sits there for a minute or two (unusually slow) before it comes up with the authentication prompt for credentials. Immediately after this happens we are notified that the <domain name>\Guest account was 'locked out'

So, it's always the DOMAIN guest account (that is disabled) being locked out from non-domain joined machines trying to access a share on a server. I have scanned one of the affected machines for viruses and have come up with nothing. What else could be causing this all of a sudden in the last couple of weeks? The machines that are being reimaged have existed for some time (many months in some cases) and the guest account has existed and has been disabled for a long time.

What possible repercussions would there be for either renaming or deleting the built in <domain name>\Guest account?
Tuesday, January 10, 2012 4:03 PM

Answers

1

Sign in to vote
Hi,

If you are Getting event id 644 and you have a password policy which does not allow blank password.

Please try to Change the value of UserAccountControl attribute of the Guest account to 66082(neumerical) i.e. 0x10222(in hex)which is the sum of the following attributes: ACCOUNTDISABLE; PASSWD_NOTREQD; NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD.

The another cause should beNetwork access validation algorithms that would fail back to GUEST account during network access using the NTLM protocol, please try the second method:

1.Before doing so we should change the userAccountControl Value to its default (0X10222).

2.uncheck the "user cannot change password"

3.setting a NULL password for the GUEST account and keeping it disabled

4.Check the "user cannot change password" back

For more information:

“Network access validation algorithms and examples for Windows Server 2003, Windows XP, and Windows 2000”

http://support.microsoft.com/kb/103390

Best Regards,

Yan Li

Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contacttnmff@microsoft.com
Yan Li

TechNet Community Support
- Marked as answer by pcarlson Tuesday, January 17, 2012 6:25 PM
Wednesday, January 11, 2012 8:30 AM
1

Sign in to vote
Hi,

Please try to set the value of UserAccountControl attribute of the Guest account to 66082(neumerical) i.e. 0x10222(in hex), and disable it, following the step provided in my first reply and then check the result.

Best Regards,

Yan Li

Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contacttnmff@microsoft.com
Yan Li

TechNet Community Support
- Marked as answer by pcarlson Tuesday, January 17, 2012 6:25 PM
Thursday, January 12, 2012 7:28 AM
1

Sign in to vote
@Yan Li,

Yesterday I did the following which appears to have resolved the issue (we have received not notifications for half the day yesterday and none so far today):

1.       Using ADSIEDIT changed the value of UserAccountControl attribute of the Guest account to 66082(numerical) i.e. 0x10222(in hex) and disabled it which is the sum of the following attributes:

a.       ACCOUNTDISABLE; PASSWD_NOTREQD; NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD

b.      It’s current value was 0x10202 aka 66050 in dec (I believe this implies ACCOUNTDISABLE | NORMAL_ACCOUNT | DONT_EXPIRE_PASSWD)

2.       Then for the account (in ADUC) did the following:

a.       Unchecked the "user cannot change password" -> OK

b.      Right-clicked on the ‘Guest’ account and selected reset password and kept it blank and clicked OK

                                                   i.      This step was to set a NULL password for the GUEST account and keep it disabled

c.       Right-clicked on the guest account and checked the "user cannot change password" again
- Marked as answer by Yan Li_ Wednesday, January 18, 2012 2:35 AM
Tuesday, January 17, 2012 6:25 PM

All replies

0

Sign in to vote
Normally it is recommended to rename the guest account and disable it.

As you have diasabled the guest account I would also recommend to rename the guest account and check.

In addition to above ensure that ensure latest SP and hotfix is installed on the server/client PC.Also latest virus defination is updated and scan the PC.

What event id are you are getting on DC.Are you getting event id 644 in security log(win2003 DC) also event id 529.

In the event log 644 there is Caller Machine name filed.Is machinecaller name same?

If this is the case and same is the caller machine name then remove the caller machine from the network.It could be due to conficker/kido virus.

You can use netmon/wireshark to monitor the traffic arising from the source which is locking the guest account

Hope this helps

Regards,
Sandesh Dubey.
-------------------------------
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
My Blog: http://sandeshdubey.wordpress.com
This posting is provided AS IS with no warranties, and confers no rights.
- Proposed as answer by Yan Li_ Wednesday, January 11, 2012 8:10 AM
- Unproposed as answer by pcarlson Wednesday, January 11, 2012 7:49 PM
Wednesday, January 11, 2012 7:03 AM
1

Sign in to vote
Hi,

If you are Getting event id 644 and you have a password policy which does not allow blank password.

Please try to Change the value of UserAccountControl attribute of the Guest account to 66082(neumerical) i.e. 0x10222(in hex)which is the sum of the following attributes: ACCOUNTDISABLE; PASSWD_NOTREQD; NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD.

The another cause should beNetwork access validation algorithms that would fail back to GUEST account during network access using the NTLM protocol, please try the second method:

1.Before doing so we should change the userAccountControl Value to its default (0X10222).

2.uncheck the "user cannot change password"

3.setting a NULL password for the GUEST account and keeping it disabled

4.Check the "user cannot change password" back

For more information:

“Network access validation algorithms and examples for Windows Server 2003, Windows XP, and Windows 2000”

http://support.microsoft.com/kb/103390

Best Regards,

Yan Li

Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contacttnmff@microsoft.com
Yan Li

TechNet Community Support
- Marked as answer by pcarlson Tuesday, January 17, 2012 6:25 PM
Wednesday, January 11, 2012 8:30 AM
0

Sign in to vote

@Sandesh Dubey

We will investigate renaming the guest account.

The server and the PC both have the latest service pack and all Windows Updates installed. The PC has been scanned for viruses and spyware and is clear of conficker etc.

The event ID we are seeing on the DC's is like this.

1.First we see Event ID 4776. This lists the 'Logon Account' as a local user account on the source workstation that does NOT exist on the domain. This event ID happens 31 times in a row.
2.Next we see event ID 4625. Again the 'account name' is a local user on the source workstation that is NOT joined to the domain. Neither the user account or the computer exist on the domain. The failure reason is 'unknown user name or bad password'. Again this event ID happens 31 times in a row
3. Finally we see event ID 4740 which is where we get an e-mail based notification that the 'Guest' domain account (which is disabled) has been locked out.

The DC's are Server 2008 SP2. We do not see event ID 644 or 429.

@Yan Li

We are not getting event ID 644

Below is a copy and past of the 3 error event's we are seeing when an account is locked out, in order:

EVENT ID 4776 - Occurs 31 times in a row

The computer attempted to validate the credentials for an account.

Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    LOCALUSERACCOUNT
Source Workstation:    NONDOMAINJOINEDPCNAME
Error Code:    0xc0000064

EVENT ID 4625 - Occurs 31 times in a row

An account failed to log on.

Subject:
    Security ID:        S-1-0-0
    Account Name:        -
    Account Domain:        -
    Logon ID:        0x0

Logon Type:            3

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:        LOCALUSERACCOUNT
    Account Domain:        NONDOMAINJOINEDPCNAME

Failure Information:
    Failure Reason:        Unknown user name or bad password.
    Status:            0xc000006d
    Sub Status:        0xc0000064

Process Information:
    Caller Process ID:    0x0
    Caller Process Name:    -

Network Information:
    Workstation Name:    NONDOMAINJOINEDPCNAME
    Source Network Address:    ISATAPIPV6ADDRESSHERE
    Source Port:        49176

Detailed Authentication Information:
    Logon Process:        NtLmSsp
    Authentication Package:    NTLM
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

EVENT ID 4740 - Occurs once

A user account was locked out.

Subject:
    Security ID:        S-1-5-18
    Account Name:        Name of the DC that locked the machine out
    Account Domain:        OURDOMAINNAME
    Logon ID:        0x3e7

Account That Was Locked Out:
    Security ID:        SID for the guest account
    Account Name:        Guest

Additional Information:
    Caller Computer Name:    NONDOMAINJOINEDPCNAME

Wednesday, January 11, 2012 7:47 PM
0

Sign in to vote
The event id 644, 529,680 will occur if it is Win2003.The corresponding event id in 2008 is 4740 , 4625 &4776 respectively.

EventID.Net .... had this for the possible answer:
http://www.eventid.net/display.asp?eventid=529&eventno=1&source=Security&phase=1
http://www.eventid.net/display.asp?eventid=680&eventno=2267&source=Security&phase=1

The event occurred on Windows XP if the machine environment meets the following criteria:

- The machine is a member of a domain.
- The machine is using a machine local account.
- Logon failure auditing is enabled.

When the user logs off, Windows will write event ID 529 to the log file because the OS incorrectly tries to contact the domain controller (DC), despite the fact that the machine is using a local account. I seems that MS currently doesn't provide a fix for this problem, but you can safely ignore this event ID.

Hope this helps

Regards,
Sandesh Dubey.
-------------------------------
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
My Blog: http://sandeshdubey.wordpress.com
This posting is provided AS IS with no warranties, and confers no rights.
- Proposed as answer by Yan Li_ Monday, January 16, 2012 8:15 AM
- Unproposed as answer by pcarlson Monday, January 16, 2012 4:21 PM
Thursday, January 12, 2012 3:53 AM
1

Sign in to vote
Hi,

Please try to set the value of UserAccountControl attribute of the Guest account to 66082(neumerical) i.e. 0x10222(in hex), and disable it, following the step provided in my first reply and then check the result.

Best Regards,

Yan Li

Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contacttnmff@microsoft.com
Yan Li

TechNet Community Support
- Marked as answer by pcarlson Tuesday, January 17, 2012 6:25 PM
Thursday, January 12, 2012 7:28 AM
0

Sign in to vote

Hi,

I would like to know how was everything going on. Whether the issue still there? Have you disabled the Guest account?

Best Regards,

Yan Li

Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contacttnmff@microsoft.com
Yan Li

TechNet Community Support

Tuesday, January 17, 2012 1:11 AM
1

Sign in to vote
@Yan Li,

Yesterday I did the following which appears to have resolved the issue (we have received not notifications for half the day yesterday and none so far today):

1.       Using ADSIEDIT changed the value of UserAccountControl attribute of the Guest account to 66082(numerical) i.e. 0x10222(in hex) and disabled it which is the sum of the following attributes:

a.       ACCOUNTDISABLE; PASSWD_NOTREQD; NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD

b.      It’s current value was 0x10202 aka 66050 in dec (I believe this implies ACCOUNTDISABLE | NORMAL_ACCOUNT | DONT_EXPIRE_PASSWD)

2.       Then for the account (in ADUC) did the following:

a.       Unchecked the "user cannot change password" -> OK

b.      Right-clicked on the ‘Guest’ account and selected reset password and kept it blank and clicked OK

                                                   i.      This step was to set a NULL password for the GUEST account and keep it disabled

c.       Right-clicked on the guest account and checked the "user cannot change password" again
- Marked as answer by Yan Li_ Wednesday, January 18, 2012 2:35 AM
Tuesday, January 17, 2012 6:25 PM
0

Sign in to vote

Hi Yan Li,

I followed your advice and it seems it fixed the guest locked audit log, but the DC still logs a lot of 4769, 4776, and 4625 events.

4769

Additional Information:
Ticket Options: 0x60810010
Ticket Encryption Type: 0xffffffff
Failure Code: 0xe
Transited Services: -

4776

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: somepc$
Source Workstation: somepc
Error Code: 0xc0000064

4625

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

This event is logged by a server running Microsoft Lync in a trusted domain.

Could MS Lync users be trying to authenticate to trusted domains cause this audit failure?

Why does the MS Lync server try to authenticate to other domains?

Too many ??? Help!!

Thursday, November 29, 2012 7:44 PM
0

Sign in to vote

I've followed the settings but still get the Guest account lockout. Any other ideas?

Guest account disabled, set to 10222, change password to NULL...

Monday, August 10, 2015 10:17 PM
0

Sign in to vote

I've followed the settings but still get the Guest account lockout. Any other ideas?

Guest account disabled, set to 10222, change password to NULL...

Hi,

I'm in the same boat. We are seeing the guest account showing up on our Audit Logs as being locked out from things like Xerox printers, SCCM WIM names, servers, workstations, you name it. The guest account is renamed and disabled via Domain Policy and yet it shows up. Initially we suspected it might have been because of a possible script or network service running in our environment so we decided to change the name of the guest account again and the account continues to show up. Any ideas?

Sunday, March 20, 2016 5:29 PM
0

Sign in to vote

out of interest why do you care of guest account is being locked out? is it just event log spam in your eyes?

Sunday, March 20, 2016 7:05 PM
0

Sign in to vote

out of interest why do you care of guest account is being locked out? is it just event log spam in your eyes?

We believe it to be event log spam however our it's been brought up to our leadership and we want to find the root cause and nip it. We have also engaged premier Microsoft support but haven't heard back yet.

In addition I'm genuinely curious as well what's causing this... but we definitely wan't to clean it up.

Sunday, March 20, 2016 7:07 PM
0

Sign in to vote

inb4 PSS says "can be safely ignored" and is "by design" and "thanks for your money" :)

"When a domain controller successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.
Also applies to NonDC's authenticating agains Local SAM database"

Sunday, March 20, 2016 7:27 PM
0

Sign in to vote
Thank you, it worked for me

Dsa.msc

Rename Guest account

Unchecked the "user cannot change password" -> OK

b.      Right-clicked on the ‘Guest’ account and selected reset password and kept it blank and clicked OK

i.      This step was to set a NULL password for the GUEST account and keep it disabled

c.       Right-clicked on the guest account and checked the "user cannot change password" again

With Regards, Raviraj Nagenhatti - System Administrator
- Edited by IT Person solving problems Thursday, June 15, 2017 1:28 PM forgot add comments
Thursday, June 15, 2017 1:26 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

domain\Guest Account Being Locked out Via Non-Domain Joined Workstations

Question

Answers

All replies