Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Random domain account lockouts

Posted on 2004-03-29
9
Medium Priority
?
275 Views
Last Modified: 2013-12-04
Hello,

We have a Windows Active Directory 2003 domain at the default functional level with a few NT4 domain controllers some of which are on WAN links.

Over the past 24-48 hours, we have suddenly gotten a lot of complaints that user accounts are being locked out even though the users have not logged out and logged back in. People who have just been working at their workstation all day without any logon or logout events suddenly have locked accounts in the AD-users and computers MMC.

All the domain controllers in the Headquarters building are getting their time from a GPS radio clock which is still working and serving SNTP. Has anyone run into something like this

Thank you.

0
Comment
Question by:vg30e
9 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10707329
Set up auditing to track who's trying to guess others passwords.

HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech

Windows 2000 Server Security Guidelines - Audit acconts
http://www.colorado.edu/its/windows2000/adminguide/w2ksecguidelines.html#localpolicy

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html

Cybersafe Centrax Log Analyst Named Essential Microsoft Windows 2000 Security Utility
http://www.cybersafe.com/centrax/cla1.html

Event Log View EVT - analysis tool for rapid search through 64 archived logs
http://www.engagent.com/products/productsinfo.asp?product=event+log+view+evt

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10707339
Could be a keylogger/spyware....

SpyChecker detects keyloggers, Adware and web bugs
http://www.google.com/custom?q=&sa=Search+this+site&cof=LW%3A108%3BL%3Ahttp%3A%2F%2Fwww.spychecker.com%2Fimages%2Fspycheckerlogo.gif%3BLH%3A110%3BBGC%3A%23ffffff%3BAH%3Aleft%3BS%3Ahttp%3A%2F%2Fwww.spychecker.com%3BAWFID%3A4c8d14e1b186d0da%3B&domains=www.spychecker.com&sitesearch=www.spychecker.com

Spybot:
http://security.kolla.de/index.php

Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/

SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm

Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/

Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10707362
BAT.Boohoo.Worm is a collection of batch files and utilities that copies itself across network shares that have weak administrator passwords. The worm establishes backdoor access to a compromised system using IRC on the IRC server port 6666 or 7000.

http://securityresponse.symantec.com/avcenter/venc/data/bat.boohoo.worm.html
0
WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

 
LVL 8

Expert Comment

by:smeek
ID: 10714333
Are there any commanilties between the users getting locked out?  Certain groups or users, Windows 95 workstations, other?

Steve
0
 

Author Comment

by:vg30e
ID: 10931837
Someone set bad account tries to 1 attempt while I was out on vacation

Please close question
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967217
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967224
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9

0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 11468873
PAQed, with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Loops Section Overview

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question