Solved

Random domain account lockouts

Posted on 2004-03-29
9
265 Views
Last Modified: 2013-12-04
Hello,

We have a Windows Active Directory 2003 domain at the default functional level with a few NT4 domain controllers some of which are on WAN links.

Over the past 24-48 hours, we have suddenly gotten a lot of complaints that user accounts are being locked out even though the users have not logged out and logged back in. People who have just been working at their workstation all day without any logon or logout events suddenly have locked accounts in the AD-users and computers MMC.

All the domain controllers in the Headquarters building are getting their time from a GPS radio clock which is still working and serving SNTP. Has anyone run into something like this

Thank you.

0
Comment
Question by:vg30e
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10707329
Set up auditing to track who's trying to guess others passwords.

HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech

Windows 2000 Server Security Guidelines - Audit acconts
http://www.colorado.edu/its/windows2000/adminguide/w2ksecguidelines.html#localpolicy

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html

Cybersafe Centrax Log Analyst Named Essential Microsoft Windows 2000 Security Utility
http://www.cybersafe.com/centrax/cla1.html

Event Log View EVT - analysis tool for rapid search through 64 archived logs
http://www.engagent.com/products/productsinfo.asp?product=event+log+view+evt

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10707339
Could be a keylogger/spyware....

SpyChecker detects keyloggers, Adware and web bugs
http://www.google.com/custom?q=&sa=Search+this+site&cof=LW%3A108%3BL%3Ahttp%3A%2F%2Fwww.spychecker.com%2Fimages%2Fspycheckerlogo.gif%3BLH%3A110%3BBGC%3A%23ffffff%3BAH%3Aleft%3BS%3Ahttp%3A%2F%2Fwww.spychecker.com%3BAWFID%3A4c8d14e1b186d0da%3B&domains=www.spychecker.com&sitesearch=www.spychecker.com

Spybot:
http://security.kolla.de/index.php

Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/

SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm

Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/

Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10707362
BAT.Boohoo.Worm is a collection of batch files and utilities that copies itself across network shares that have weak administrator passwords. The worm establishes backdoor access to a compromised system using IRC on the IRC server port 6666 or 7000.

http://securityresponse.symantec.com/avcenter/venc/data/bat.boohoo.worm.html
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 8

Expert Comment

by:smeek
ID: 10714333
Are there any commanilties between the users getting locked out?  Certain groups or users, Windows 95 workstations, other?

Steve
0
 

Author Comment

by:vg30e
ID: 10931837
Someone set bad account tries to 1 attempt while I was out on vacation

Please close question
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967217
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967224
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9

0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 11468873
PAQed, with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question