Random domain account lockouts
Hello,
We have a Windows Active Directory 2003 domain at the default functional level with a few NT4 domain controllers some of which are on WAN links.
Over the past 24-48 hours, we have suddenly gotten a lot of complaints that user accounts are being locked out even though the users have not logged out and logged back in. People who have just been working at their workstation all day without any logon or logout events suddenly have locked accounts in the AD-users and computers MMC.
All the domain controllers in the Headquarters building are getting their time from a GPS radio clock which is still working and serving SNTP. Has anyone run into something like this
Thank you.
We have a Windows Active Directory 2003 domain at the default functional level with a few NT4 domain controllers some of which are on WAN links.
Over the past 24-48 hours, we have suddenly gotten a lot of complaints that user accounts are being locked out even though the users have not logged out and logged back in. People who have just been working at their workstation all day without any logon or logout events suddenly have locked accounts in the AD-users and computers MMC.
All the domain controllers in the Headquarters building are getting their time from a GPS radio clock which is still working and serving SNTP. Has anyone run into something like this
Thank you.
Could be a keylogger/spyware....
SpyChecker detects keyloggers, Adware and web bugs
http://www.google.com/custom?q=&sa=Search+this+site&cof=LW%3A108%3BL%3Ahttp%3A%2F%2Fwww.spychecker.com%2Fimages%2Fspycheckerlogo.gif%3BLH%3A110%3BBGC%3A%23ffffff%3BAH%3Aleft%3BS%3Ahttp%3A%2F%2Fwww.spychecker.com%3BAWFID%3A4c8d14e1b186d0da%3B&domains=www.spychecker.com&sitesearch=www.spychecker.com
Spybot:
http://security.kolla.de/index.php
Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/
SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm
Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/
Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
SpyChecker detects keyloggers, Adware and web bugs
http://www.google.com/custom?q=&sa=Search+this+site&cof=LW%3A108%3BL%3Ahttp%3A%2F%2Fwww.spychecker.com%2Fimages%2Fspycheckerlogo.gif%3BLH%3A110%3BBGC%3A%23ffffff%3BAH%3Aleft%3BS%3Ahttp%3A%2F%2Fwww.spychecker.com%3BAWFID%3A4c8d14e1b186d0da%3B&domains=www.spychecker.com&sitesearch=www.spychecker.com
Spybot:
http://security.kolla.de/index.php
Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/
SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm
Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/
Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
BAT.Boohoo.Worm is a collection of batch files and utilities that copies itself across network shares that have weak administrator passwords. The worm establishes backdoor access to a compromised system using IRC on the IRC server port 6666 or 7000.
http://securityresponse.symantec.com/avcenter/venc/data/bat.boohoo.worm.html
http://securityresponse.symantec.com/avcenter/venc/data/bat.boohoo.worm.html
Are there any commanilties between the users getting locked out? Certain groups or users, Windows 95 workstations, other?
Steve
Steve
ASKER
Someone set bad account tries to 1 attempt while I was out on vacation
Please close question
Please close question
The Experts Exchange Help Pages - About Closing Questions
https://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
https://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
The Experts Exchange Help Pages - About Closing Questions
https://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9
https://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech
Windows 2000 Server Security Guidelines - Audit acconts
http://www.colorado.edu/its/windows2000/adminguide/w2ksecguidelines.html#localpolicy
EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html
Cybersafe Centrax Log Analyst Named Essential Microsoft Windows 2000 Security Utility
http://www.cybersafe.com/centrax/cla1.html
Event Log View EVT - analysis tool for rapid search through 64 archived logs
http://www.engagent.com/products/productsinfo.asp?product=event+log+view+evt
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open