PS script causing Failed guest logon

%3CLINGO-SUB%20id%3D%22lingo-sub-255369%22%20slang%3D%22en-US%22%3EPS%20script%20causing%20Failed%20guest%20logon%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-255369%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20ps1%20script%20to%20audit%20AD-Group-Members%20which%20runs%20on%20a%20weekly%20basis.%3C%2FP%3E%3CP%3EThis%20queries%20all%20the%20AD%20users%20and%20Groups%20they%20are%20a%20part%20of%20and%20exports%20it%20in%20a%20Excel%20file.%20This%20runs%20on%20our%20Domain%20Controller.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%202nd%20September%2C%20we%20noticed%20that%20during%20the%20time%2C%20the%20script%20was%20running%2C%20there%20was%26nbsp%3B%20956%20sign-in%20attempts%20on%20our%20DC.%3C%2FP%3E%3CP%3EThe%20script%20for%20Get-ADGroupMembership%20ran%20on%204%3A38PM%20and%20completed%20csv%20was%20created%20at%204%3A46PM.%3C%2FP%3E%3CP%3ELogin%20events%20started%209%2F2%2F2018%204%3A38%3A22%20PM%20and%20continued%20till%209%2F2%2F2018%204%3A46%3A29%20PM%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20what%20i%20see%20in%20the%20Event%20Viewer%20(screenshot%20added)%3C%2FP%3E%3CP%3E%3CSPAN%3EAccount%20For%20Which%20Logon%20Failed%3A%20%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ESecurity%20ID%3A%20NULL%20SID%20%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EAccount%20Name%3A%20Guest%3CBR%20%2F%3E%3CBR%20%2F%3EFailure%20Information%3A%3CBR%20%2F%3EFailure%20Reason%3A%20Unknown%20user%20name%20or%20bad%20password.%3CBR%20%2F%3EStatus%3A%200xC000006D%3CBR%20%2F%3ESub%20Status%3A%200xC000006A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EDetailed%20Authentication%20Information%3A%3CBR%20%2F%3ELogon%20Process%3A%20Advapi%3CBR%20%2F%3EAuthentication%20Package%3A%20Negotiate%3CBR%20%2F%3ETransited%20Services%3A%20-%3CBR%20%2F%3EPackage%20Name%20(NTLM%20only)%3A%20-%3CBR%20%2F%3EKey%20Length%3A%200%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20info%20on%20why%20the%20script%20might%20have%20caused%20Logon%20attempted%20will%20be%20hugely%20appreciated.%3C%2FP%3E%3CP%3EAslo%20attached%20the%20ps1.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F50212iDC6499FB6F43316C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22account%20locked.PNG%22%20title%3D%22account%20locked.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-255369%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-266857%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20PS%20script%20causing%20Failed%20guest%20logon%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-266857%22%20slang%3D%22en-US%22%3EIt%20is%20a%20Scheduled%20task%20that%20runs%20every%20Sunday.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-266789%22%20slang%3D%22en-US%22%3ERE%3A%20PS%20script%20causing%20Failed%20guest%20logon%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-266789%22%20slang%3D%22en-US%22%3EHow%20is%20the%20script%20run%3F%20Scheduled%20task%2C%20or%20manually%20by%20a%20user%3F%3C%2FLINGO-BODY%3E
New Contributor

Hello, 

We have a ps1 script to audit AD-Group-Members which runs on a weekly basis.

This queries all the AD users and Groups they are a part of and exports it in a Excel file. This runs on our Domain Controller.

 

On 2nd September, we noticed that during the time, the script was running, there was  956 sign-in attempts on our DC.

The script for Get-ADGroupMembership ran on 4:38PM and completed csv was created at 4:46PM.

Login events started 9/2/2018 4:38:22 PM and continued till 9/2/2018 4:46:29 PM 

 

This is what i see in the Event Viewer (screenshot added)

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Guest

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

 

Any info on why the script might have caused Logon attempted will be hugely appreciated.

Aslo attached the ps1.account locked.PNG

2 Replies
How is the script run? Scheduled task, or manually by a user?
It is a Scheduled task that runs every Sunday.