Just recently over the past couple of weeks we have started to see random lockout reports from the Domain Controllers of the <domain name>\Guest account. Here are the 'facts':
- The guest account is disabled and has been likely for a long, long time
- ALL of the account lockout reports for the <domain name>\Guest account are coming from NON-DOMAIN JOINED workstations, none are from domain joined workstations
- When they account is locked out, in essentially all instances the user has just done the following: Recently reimaged their test machine that is not domain joined and attempted to access the DFS root or a share on a server (for example \\corp.domainname.com\domainname or \\server5\share). After they try to access this path, the non-domain workstation sits there for a minute or two (unusually slow) before it comes up with the authentication prompt for credentials. Immediately after this happens we are notified that the <domain name>\Guest account was 'locked out'
So, it's always the DOMAIN guest account (that is disabled) being locked out from non-domain joined machines trying to access a share on a server. I have scanned one of the affected machines for viruses and have come up with nothing. What else could be causing this all of a sudden in the last couple of weeks? The machines that are being reimaged have existed for some time (many months in some cases) and the guest account has existed and has been disabled for a long time.
What possible repercussions would there be for either renaming or deleting the built in <domain name>\Guest account?