Check if Windows built-in local guest account is turned on
Question
I'm trying to do a check that will determine if the local Windows guest account is turned on or off. (Please note this is different from enabled/disabled, which I can currently do a check for).
As far as I can tell the only place the the on/off setting has any impact is in the Local Security Policy setting "Deny log on locally".
An acceptable workaround would be any check that can determine if the built-in guest account is capable of being displayed during the log-in screen. That question is really the only thing my method needs to know. Thanks in advance.
Edit for clarification:
1 answers
solution1
0 ACCPTED 2013-07-22 23:40:34
This question was answered by AverageJoeOfToronto over at Technet :
Since I'm really only trying to determine the status of this setting (as opposed to editing it), the solution provided was to export the security policy using secedit.
secedit.exe /export /cfg %temp%\UserRights.inf /areas User_Rights /log %temp%\UserRights.log
Produces a CFG which will contain a line with the relevant "Deny log on locally" list:
SeDenyInteractiveLogonRight = Guest
For a lot of domain computers this will probably include ASPNET as well (I recall seeing people looking for the same solution specifically to filter out ASPNET). When ASPNET or other accounts are present the output is comma separated
SeDenyInteractiveLogonRight = ASPNET,Guest,AnotherUser
AverageJoe was even kind enough to inform me that this policy can be edited with NTrights.exe available in the Windows Resource Toolkit.
If you get any use from this post, please go over and up vote his answer at Technet as he apparently spent over an hour looking for this solution. Thanks Joe.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.