Windows-Server-2008

系統自動啟用訪客賬戶

  • October 25, 2017

我在使用 Windows Server 2008 R2 時遇到了麻煩。我禁用了訪客帳戶,出於安全目的將其設置為不更改密碼。

幾天后,我注意到訪客帳戶已啟用。

系統如何自動修改訪客帳號?

我查看了事件日誌。它顯示以下內容:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/20/2017 11:03:04 PM
Event ID:      4738
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      WIN-GQC8F69I8P7
Description:
A user account was changed.

Subject:
   Security ID:        SYSTEM
   Account Name:       WIN-GQC8F69I8P7$
   Account Domain:     WORKGROUP
   Logon ID:       0x3e7

Target Account:
   Security ID:        WIN-GQC8F69I8P7\Guest
   Account Name:       Guest
   Account Domain:     WIN-GQC8F69I8P7

Changed Attributes:
   SAM Account Name:   Guest
   Display Name:       <value not set>
   User Principal Name:    -
   Home Directory:     <value not set>
   Home Drive:     <value not set>
   Script Path:        <value not set>
   Profile Path:       <value not set>
   User Workstations:  <value not set>
   Password Last Set:  20/10/2017 11:03:04 CH
   Account Expires:        <never>
   Primary Group ID:   513
   AllowedToDelegateTo:    -
   Old UAC Value:      0x211
   New UAC Value:      0x211
   User Account Control:   -
   User Parameters:    -
   SID History:        -
   Logon Hours:        All

Additional Information:
   Privileges:     -
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
   <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
   <EventID>4738</EventID>
   <Version>0</Version>
   <Level>0</Level>
   <Task>13824</Task>
   <Opcode>0</Opcode>
   <Keywords>0x8020000000000000</Keywords>
   <TimeCreated SystemTime="2017-10-20T16:03:04.790779000Z" />
   <EventRecordID>10641390</EventRecordID>
   <Correlation />
   <Execution ProcessID="488" ThreadID="5744" />
   <Channel>Security</Channel>
   <Computer>WIN-GQC8F69I8P7</Computer>
   <Security />
 </System>
 <EventData>
   <Data Name="Dummy">-</Data>
   <Data Name="TargetUserName">Guest</Data>
   <Data Name="TargetDomainName">WIN-GQC8F69I8P7</Data>
   <Data Name="TargetSid">S-1-5-21-1551155493-3377209804-688432216-501</Data>
   <Data Name="SubjectUserSid">S-1-5-18</Data>
   <Data Name="SubjectUserName">WIN-GQC8F69I8P7$</Data>
   <Data Name="SubjectDomainName">WORKGROUP</Data>
   <Data Name="SubjectLogonId">0x3e7</Data>
   <Data Name="PrivilegeList">-</Data>
   <Data Name="SamAccountName">Guest</Data>
   <Data Name="DisplayName">%%1793</Data>
   <Data Name="UserPrincipalName">-</Data>
   <Data Name="HomeDirectory">%%1793</Data>
   <Data Name="HomePath">%%1793</Data>
   <Data Name="ScriptPath">%%1793</Data>
   <Data Name="ProfilePath">%%1793</Data>
   <Data Name="UserWorkstations">%%1793</Data>
   <Data Name="PasswordLastSet">20/10/2017 11:03:04 CH</Data>
   <Data Name="AccountExpires">%%1794</Data>
   <Data Name="PrimaryGroupId">513</Data>
   <Data Name="AllowedToDelegateTo">-</Data>
   <Data Name="OldUacValue">0x211</Data>
   <Data Name="NewUacValue">0x211</Data>
   <Data Name="UserAccountControl">-</Data>
   <Data Name="UserParameters">-</Data>
   <Data Name="SidHistory">-</Data>
   <Data Name="LogonHours">%%1797</Data>
 </EventData>
</Event>

   Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/20/2017 11:03:04 PM
Event ID:      4724
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      WIN-GQC8F69I8P7
Description:
An attempt was made to reset an account's password.

Subject:
   Security ID:        SYSTEM
   Account Name:       WIN-GQC8F69I8P7$
   Account Domain:     WORKGROUP
   Logon ID:       0x3e7

Target Account:
   Security ID:        WIN-GQC8F69I8P7\Guest
   Account Name:       Guest
   Account Domain:     WIN-GQC8F69I8P7
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
   <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
   <EventID>4724</EventID>
   <Version>0</Version>
   <Level>0</Level>
   <Task>13824</Task>
   <Opcode>0</Opcode>
   <Keywords>0x8020000000000000</Keywords>
   <TimeCreated SystemTime="2017-10-20T16:03:04.790779000Z" />
   <EventRecordID>10641391</EventRecordID>
   <Correlation />
   <Execution ProcessID="488" ThreadID="5744" />
   <Channel>Security</Channel>
   <Computer>WIN-GQC8F69I8P7</Computer>
   <Security />
 </System>
 <EventData>
   <Data Name="TargetUserName">Guest</Data>
   <Data Name="TargetDomainName">WIN-GQC8F69I8P7</Data>
   <Data Name="TargetSid">S-1-5-21-1551155493-3377209804-688432216-501</Data>
   <Data Name="SubjectUserSid">S-1-5-18</Data>
   <Data Name="SubjectUserName">WIN-GQC8F69I8P7$</Data>
   <Data Name="SubjectDomainName">WORKGROUP</Data>
   <Data Name="SubjectLogonId">0x3e7</Data>
 </EventData>
</Event>

我已經找了幾天了。我意識到它每天晚上都在同一時間發生。我猜它可能是一個任務計劃程序然後在任務計劃程序中找不到任何東西。我使用了 Sysinternals 工具並發現了問題。WMI 服務中有一個有害的 VB 腳本。刪除它,問題就解決了!

我會試試這個,然後在這個系統上執行 RSOP.msc

電腦配置 > Windows 設置 > 安全設置 > 本地策略 > 安全選項 > 帳戶:訪客帳戶狀態

它應該被禁用。如果它已啟用,那麼您可以看到哪個 GPO 正在應用該策略

引用自:https://serverfault.com/questions/879497

相關問答

Windows-Server-2008

如何找出域帳戶的錯誤登錄嘗試來自何處(Windows 2008 Server R2)

  • April 19, 2017
檢視問答
Windows-Server-2008

如何在加入 Active Directory 域的 PC 上重建 Windows 7 使用者配置文件,為什麼要這樣做?

  • February 10, 2016
檢視問答
Windows-Server-2008

更改管理員使用者名會影響我的 windows server 2008 R2 上的其他設置嗎?

  • December 4, 2015
檢視問答
Windows-Server-2008

Windows Server 2008 R2:使用者帳戶設置為登錄時不顯示

  • February 19, 2015
檢視問答
Windows-Server-2008

漫遊配置文件、使用者配置文件、主文件夾和重定向文件夾之間的區別?

  • July 23, 2014
檢視問答
Windows-Server-2008

從 2003 年到 2008 年的 Windows Server 本地帳戶遷移

  • April 14, 2014
檢視問答