Nina G's questions

In our environment, I've found a handful of Event ID 4776 The computer attempted to validate the credentials for an account. Shown below is the output of that event log and it seems the user in question is Guest, which is a disabled account:

I've also found a corresponding Event ID 4625, shown below, from the same time and same Guest user. However, for this event id, I can see Subject Username for which I'm trying to hunt down the user.

My questions are:

• Can someone provide insight on why a disabled Guest account is trying to sign in?
• For Event ID 4625, what is the difference between Subject User Name and Target User Name? I have an idea but I don't want to assume.

I have a user getting prompted by UAC every few minutes regarding Microsoft .Net Runtime requesting admin credentials. Every time the user clicks No, UAC comes back after a few minutes shown below:

Nothing in our security stack is flagging as malicious or blocking anything from this user's device. However, I did find some logs that are related to the UAC prompt issue. Shown below is an output of one of the logs:

[0B54:0AD4][2022-11-22T07:08:58]i001: Burn v3.14.0.5722, Windows v10.0 (Build 19044: Service Pack 0), path: C:\Users\User~1\AppData\Local\Temp\{85268AAC-6881-41DB-85FA-9DF8936C33C0}\.cr\DNCR605-KB4054530-x64-AllOS-ENU.exe
[0B54:0AD4][2022-11-22T07:08:58]i000: Initializing string variable 'BUNDLEMONIKER' to value 'Microsoft .NET Runtime - 6.0.9 (x64)'
[0B54:0AD4][2022-11-22T07:08:58]i000: Initializing string variable 'PRODUCT_NAME' to value 'Microsoft .NET Runtime - 6.0.9 (x64)'
[0B54:0AD4][2022-11-22T07:08:58]i000: Initializing string variable 'LINK_PREREQ_PAGE' to value 'https://go.microsoft.com/fwlink/?linkid=846817'
[0B54:0AD4][2022-11-22T07:08:58]i009: Command Line: '-burn.clean.room=C:\Users\User\AppData\Local\Temp\SupportAssistAgent\AutoUpdate\DNCR605-KB4054530-x64-AllOS-ENU.exe -burn.filehandle.attached=556 -burn.filehandle.self=572 /q /norestart'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\User\AppData\Local\Temp\SupportAssistAgent\AutoUpdate\DNCR605-KB4054530-x64-AllOS-ENU.exe'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\User\AppData\Local\Temp\SupportAssistAgent\AutoUpdate\'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858.log'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleName' to value 'Microsoft .NET Runtime - 6.0.9 (x64)'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'
[0B54:2CE4][2022-11-22T07:08:58]i000: Setting numeric variable 'WixStdBALanguageId' to value 1033
[0B54:2CE4][2022-11-22T07:08:58]i000: Setting version variable 'WixBundleFileVersion' to value '6.0.9.31619'
[0B54:0AD4][2022-11-22T07:08:58]i100: Detect begin, 3 packages
[0B54:0AD4][2022-11-22T07:08:58]i101: Detected package: dotnet_runtime_6.0.9_win_x64.msi, state: Absent, cached: None
[0B54:0AD4][2022-11-22T07:08:58]i101: Detected package: dotnet_hostfxr_6.0.9_win_x64.msi, state: Absent, cached: None
[0B54:0AD4][2022-11-22T07:08:58]i101: Detected package: dotnet_host_6.0.9_win_x64.msi, state: Absent, cached: None
[0B54:0AD4][2022-11-22T07:08:58]i052: Condition '((VersionNT > v6.1) OR (VersionNT = v6.1 AND ServicePackLevel >= 1))' evaluates to true.
[0B54:0AD4][2022-11-22T07:08:58]i052: Condition 'VersionNT64' evaluates to true.
[0B54:0AD4][2022-11-22T07:08:58]i199: Detect complete, result: 0x0
[0B54:0AD4][2022-11-22T07:08:58]i200: Plan begin, 3 packages, action: Install
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleRollbackLog_dotnet_runtime_6.0.9_win_x64.msi' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858_000_dotnet_runtime_6.0.9_win_x64.msi_rollback.log'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleLog_dotnet_runtime_6.0.9_win_x64.msi' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858_000_dotnet_runtime_6.0.9_win_x64.msi.log'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleRollbackLog_dotnet_hostfxr_6.0.9_win_x64.msi' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858_001_dotnet_hostfxr_6.0.9_win_x64.msi_rollback.log'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleLog_dotnet_hostfxr_6.0.9_win_x64.msi' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858_001_dotnet_hostfxr_6.0.9_win_x64.msi.log'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleRollbackLog_dotnet_host_6.0.9_win_x64.msi' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858_002_dotnet_host_6.0.9_win_x64.msi_rollback.log'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleLog_dotnet_host_6.0.9_win_x64.msi' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858_002_dotnet_host_6.0.9_win_x64.msi.log'
[0B54:0AD4][2022-11-22T07:08:58]i201: Planned package: dotnet_runtime_6.0.9_win_x64.msi, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
[0B54:0AD4][2022-11-22T07:08:58]i201: Planned package: dotnet_hostfxr_6.0.9_win_x64.msi, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
[0B54:0AD4][2022-11-22T07:08:58]i201: Planned package: dotnet_host_6.0.9_win_x64.msi, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
[0B54:0AD4][2022-11-22T07:08:58]i299: Plan complete, result: 0x0
[0B54:0AD4][2022-11-22T07:08:58]i300: Apply begin
[0B54:0AD4][2022-11-22T07:08:58]i010: Launching elevated engine process.

From the above, it looks like an auto update task is being attempted. And for it to complete, it needs elevated privileges. However, if the user clicks No that should be the end of it.

Can anyone help in stopping the UAC constantly prompting?

I'm running into a head scratcher type of situation. I have a user who has reported that they are getting a Windows Security pop up from outlook that keeps showing up even after clicking Cancel or signing out/in to Outlook.

Luckily, the user didn't put in their credentials.

Below are some things I've checked from a security standpoint:

1. Checked the URL in the image using an analysis tool. Nothing malicious came back.
2. Checked the URL "http://cdn.goalline.ca" it redirects to "https://stacksports.goalline.ca/". Nothing malicious there as well.
3. Checked the domain cdn.goalline.ca and nothing malicious. Appears to be registered 20yrs ago and lines up with the stacksports site stating that it was founded in 2002.
4. Checked enterprise AV, MS Defender and nothing malicious comes back.

Can anyone help in why this keeps popping up for the user? Also, how do we stop this from re-occurring?

In my test windows AD server I was checking out ADSI (adsiedit.msc). From this doc, I can make config changes to ADSI that allows me to monitor changes from Domains, OU deletions, etc.

I decided to take a look ADSI. When I got to the Auditing Entry for (my domain) below, I saw Permissions and Properties:

Does anyone know what permissions and properties do? For example, if Principal is set to Everyone and Full control was checked, does this change everyone's permissions to full overriding AD settings?

I did some reading and found some info on what it is but I couldn't find any other details on what changing these auditing settings (Permissions and Properties) do aside from what the doc provides.

I'm using the free version of Ansible at the moment. What is the maximum hosts a single Ansible controller can manage? I would assume it depends on the resources provisioned on the server but can't seem to find the docs for the free ver.

Also, in a segmented network like the example below (with a mix of Windows and Linux machines), I wasn't too sure but I assume that I need a controller for each network segment. Is this correct?:

1. Segment A = 10.150.10.x
2. Segment B = 10.151.15.x
3. Segment C = 10.25.10.x

Lastly, what are the port requirements and direction for which it needs to be opened?

I have a lab environment with a Win Server 2016 that serves as a AD DC and I have a Win Server 2012 that I'm attempting to join to the domain. Requesting assistance to see what I'm doing wrong.

Win 2016 Server Config:

1. Installed AD DC and DNS role
2. Domain name red_domain.com
3. Static address configured as 192.168.1.111
4. Preferred DNS set to 192.168.1.111 (not sure of this is right)
5. Alternate DNS is 8.8.8.8
6. Confirmed can ping win server 2012

Win Server 2012 Config:

1. Static address configured as 192.168.1.112
2. Preferred DNS set to 192.168.1.111
3. Alternate DNS 8.8.8.8
4. Confirmed can ping Win 2016 Server
5. Getting DNS error joining to domain

Error I'm getting is displayed below:

EDIT: Below is the result of the nslookup:

I have 2 Windows Server 2016 boxes (a forwader and a collector).

They are in the same subnet and both are workgroup.

Unfortunately, these servers cannot be joined to any domain.

Just as the title states. Is it possible for WEF to work on workgroup computers?