Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Random domain account lockouts

Posted on 2004-03-29
9
Medium Priority
?
271 Views
Last Modified: 2013-12-04
Hello,

We have a Windows Active Directory 2003 domain at the default functional level with a few NT4 domain controllers some of which are on WAN links.

Over the past 24-48 hours, we have suddenly gotten a lot of complaints that user accounts are being locked out even though the users have not logged out and logged back in. People who have just been working at their workstation all day without any logon or logout events suddenly have locked accounts in the AD-users and computers MMC.

All the domain controllers in the Headquarters building are getting their time from a GPS radio clock which is still working and serving SNTP. Has anyone run into something like this

Thank you.

0
Comment
Question by:vg30e
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10707329
Set up auditing to track who's trying to guess others passwords.

HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech

Windows 2000 Server Security Guidelines - Audit acconts
http://www.colorado.edu/its/windows2000/adminguide/w2ksecguidelines.html#localpolicy

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html

Cybersafe Centrax Log Analyst Named Essential Microsoft Windows 2000 Security Utility
http://www.cybersafe.com/centrax/cla1.html

Event Log View EVT - analysis tool for rapid search through 64 archived logs
http://www.engagent.com/products/productsinfo.asp?product=event+log+view+evt

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10707339
Could be a keylogger/spyware....

SpyChecker detects keyloggers, Adware and web bugs
http://www.google.com/custom?q=&sa=Search+this+site&cof=LW%3A108%3BL%3Ahttp%3A%2F%2Fwww.spychecker.com%2Fimages%2Fspycheckerlogo.gif%3BLH%3A110%3BBGC%3A%23ffffff%3BAH%3Aleft%3BS%3Ahttp%3A%2F%2Fwww.spychecker.com%3BAWFID%3A4c8d14e1b186d0da%3B&domains=www.spychecker.com&sitesearch=www.spychecker.com

Spybot:
http://security.kolla.de/index.php

Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/

SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm

Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/

Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10707362
BAT.Boohoo.Worm is a collection of batch files and utilities that copies itself across network shares that have weak administrator passwords. The worm establishes backdoor access to a compromised system using IRC on the IRC server port 6666 or 7000.

http://securityresponse.symantec.com/avcenter/venc/data/bat.boohoo.worm.html
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 8

Expert Comment

by:smeek
ID: 10714333
Are there any commanilties between the users getting locked out?  Certain groups or users, Windows 95 workstations, other?

Steve
0
 

Author Comment

by:vg30e
ID: 10931837
Someone set bad account tries to 1 attempt while I was out on vacation

Please close question
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967217
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967224
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9

0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 11468873
PAQed, with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
OfficeMate Freezes on login or does not load after login credentials are input.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question