Hi All,
I have a few DCs. When i review the security logs i can see a lot events like the below:
A user account was changed.Subject:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain:NT AUTHORITY
Logon ID: 0x3E6
Target Account:
Security ID:<Domain>\<User>
Account Name:<User>
Account Domain:<Domain>
Changed Attributes:
SAM Account Name:-
Display Name: -
User Principal Name:-
Home Directory:-
Home Drive: -
Script Path: -
Profile Path: -
User Workstations:-
Password Last Set:07/11/2018 10:14:26
Account Expires:-
Primary Group ID:-
AllowedToDelegateTo:-
Old UAC Value:-
New UAC Value:-
User Account Control:-
User Parameters:-
SID History: -
Logon Hours: -
Additional Information:
Privileges: -
I have checked a few articles (but can't find anything official by Microsoft) that ANONYMOUS LOGON is used to replicate the password between PDC and each DC. Also i can't find S-1-5-7 under the ForeignSecurityPrincipals Container.
Is there an official Microsoft article about the purpose of ANONYMOUS LOGON and the usage of it ? At what cases and circumstances it is used, as it is a bit annoying to see so many "anonymous logons" ?