Many changes by Anonymous Logon

Question

with some auditing tool for AD I noticed many changes done by

ANONYMOUS LOGON

for e.g. badPwdCount and badPasswordTime with the same before and after value.

Any ideas why this 'change' does happen, if it actually does not change anything?

Answer 1

What changes? Or are you just seeing the Anonymous Logon events in the logs?

The Anonymous account is used for several tasks that involve querying for information off the domain. From Microsoft:

Some of the services running versions of Windows earlier than Windows 2000 use anonymous access to request user account information from domain controllers and to list network shares on file servers and workstations.

You also might need to allow Anonymous access when an administrator in the trusting domain of a one-way trust relationship across forests needs to list users and shares in the trusted domain of another forest.

There's more at http://technet.microsoft.com/en-us/library/cc785670%28v=ws.10%29.aspx

But the anonymous user shouldn't be making changes, so I'm wondering what event ID's you're referring to or what tool you're using that would say it is. Anonymous is a basic, restricted account for gaining (hopefully) non-intrusive information without the full login rights to the domain.

EDIT - hit submit too quick. The example you're giving for the badpwdcount in your example is saying that something...a machine, a service, a person...is attempting to log in and not giving the correct credentials. Could be a misconfiguration or someone mistyping something, or someone poking the network (what is triggering it? a website in IIS? A machine on your domain?) The badpwdcount attribute in AD is used to track, for example, if the account should be locked out after X number of bad login attempts. The login attempt is done on behalf of anonymous until credentials are established.