Solved

Random domain account lockouts

Posted on 2004-03-29
9
261 Views
Last Modified: 2013-12-04
Hello,

We have a Windows Active Directory 2003 domain at the default functional level with a few NT4 domain controllers some of which are on WAN links.

Over the past 24-48 hours, we have suddenly gotten a lot of complaints that user accounts are being locked out even though the users have not logged out and logged back in. People who have just been working at their workstation all day without any logon or logout events suddenly have locked accounts in the AD-users and computers MMC.

All the domain controllers in the Headquarters building are getting their time from a GPS radio clock which is still working and serving SNTP. Has anyone run into something like this

Thank you.

0
Comment
Question by:vg30e
9 Comments
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
Set up auditing to track who's trying to guess others passwords.

HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech

Windows 2000 Server Security Guidelines - Audit acconts
http://www.colorado.edu/its/windows2000/adminguide/w2ksecguidelines.html#localpolicy

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html

Cybersafe Centrax Log Analyst Named Essential Microsoft Windows 2000 Security Utility
http://www.cybersafe.com/centrax/cla1.html

Event Log View EVT - analysis tool for rapid search through 64 archived logs
http://www.engagent.com/products/productsinfo.asp?product=event+log+view+evt

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
Could be a keylogger/spyware....

SpyChecker detects keyloggers, Adware and web bugs
http://www.google.com/custom?q=&sa=Search+this+site&cof=LW%3A108%3BL%3Ahttp%3A%2F%2Fwww.spychecker.com%2Fimages%2Fspycheckerlogo.gif%3BLH%3A110%3BBGC%3A%23ffffff%3BAH%3Aleft%3BS%3Ahttp%3A%2F%2Fwww.spychecker.com%3BAWFID%3A4c8d14e1b186d0da%3B&domains=www.spychecker.com&sitesearch=www.spychecker.com

Spybot:
http://security.kolla.de/index.php

Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/

SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm

Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/

Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
BAT.Boohoo.Worm is a collection of batch files and utilities that copies itself across network shares that have weak administrator passwords. The worm establishes backdoor access to a compromised system using IRC on the IRC server port 6666 or 7000.

http://securityresponse.symantec.com/avcenter/venc/data/bat.boohoo.worm.html
0
 
LVL 8

Expert Comment

by:smeek
Comment Utility
Are there any commanilties between the users getting locked out?  Certain groups or users, Windows 95 workstations, other?

Steve
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:vg30e
Comment Utility
Someone set bad account tries to 1 attempt while I was out on vacation

Please close question
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9

0
 

Accepted Solution

by:
CetusMOD earned 0 total points
Comment Utility
PAQed, with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now