On DC with IP address 192.168.0.123:
wevtutil sl Microsoft-Windows-NTLM/Operational /e:true
wevtutil qe Microsoft-Windows-NTLM/Operational /q:"*[System[(EventID=8004 or EventID=8005)]]" /f:text
net share
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
NETLOGON C:\Windows\SYSVOL\sysvol\my.local\SCRIPTS
Logon server share
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
The command completed successfully.
From another Windows machine:
PS C:\> net use \\192.168.0.123\IPC$ /user:my.local\administrator WRONG_PASSWORD
System error 1326 has occurred.
The user name or password is incorrect.
PS C:\> net use \\192.168.0.123\IPC$ /user:my.local\administrator 1234@abc
The command completed successfully.
On DC:
wevtutil qe Microsoft-Windows-NTLM/Operational /q:"*[System[(EventID=8004 or EventID=8005)]]" /f:text
does not show any events.
Configuring Security Options on DC
secpol.msc
gpupdate /force
From another Windows machine:
net use \\192.168.0.123\* /delete
net use
net use \\192.168.0.123\IPC$ /user:my.local\administrator 1234@abc
On DC:
The command
wevtutil qe Microsoft-Windows-NTLM/Operational /q:"*[System[(EventID=8004 or EventID=8005)]]" /f:text
still gives nothing.
Default Domain Controllers Policy
It displays the same settings:
gpmc.msc
Using ldp.exe
-----------
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NTLM (4230)); // v.3
{NtAuthIdentity: User='administrator'; Pwd=<unavailable>; domain = 'my.local'}
Authenticated as: 'MY\Administrator'.
-----------
WireShark on DC:
Opening a Share
Opened DC share from another Windows machine:
WireShark on DC:
