digitalsoup
asked on
win2k locked out user accounts without any login attempt being made
I have a windows 2000 domain running in native mode with only win2k servers. a PDC and a BDC are in place both with SP4. the domain is a .local with direct inernet access through a cisco 2610 running NAT. Everyday I must unlock all of my user accounts in the AD users and computers plugin. Can you tell me of any known issues that would cause this to happen. I am not seeing any failures in the event log to indicate that my user accounts are being hit by a password attack. This has become a very big problem. This happens every day and sometimes several times a day. I have also experienced a day or two during this problem cycle that the lockout did not occur. Any insight would be very appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The most interesting thing about this entry is the time..........8:37 pm......unless you had a user working late that night, the most likely source for this logon attempt would be a virus.........scan this machine.......and the rest of your network too.
ASKER
incidentally Dr. Stephen Svastits is not a user of mine!!!!
Do you have AV software.......if not, there are several online services you can use.......just google on "online virus scan"
ASKER
symantec corp ver 8.1 virus def are from 10\15 and no new updates found on LU
We have had the same issue on one of our 2k servers aswell. We found out its a virus\hacker on the outside, hashing Active Directory User Accounts,
If you disable the netlogon Service and Kerbose the Hashing will stop.
As a test try enabling the netlogon service and Kerbose, then monitor the security logs on the server and your router.
Do a NSlookup for the suspecting IP address. BLock that subnet coming in on your router/firewall.
If you disable the netlogon Service and Kerbose the Hashing will stop.
As a test try enabling the netlogon service and Kerbose, then monitor the security logs on the server and your router.
Do a NSlookup for the suspecting IP address. BLock that subnet coming in on your router/firewall.
Symantec Corp Def. should be at 10/21/2003
ASKER
Reason: Unknown user name or bad password
User Name: User
Domain: YOUR-5OHMF9CG1X
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: YOUR-5OHMF9CG1X
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/15/2003
Time: 8:37:10 PM
User: NT AUTHORITY\SYSTEM
Computer: KING200
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Dr. Stephen Svastits
Domain: SVASTITS
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SVASTITS
what are your thoughts on this