Solved

Random domain account lockouts

Posted on 2004-03-29
9
262 Views
Last Modified: 2013-12-04
Hello,

We have a Windows Active Directory 2003 domain at the default functional level with a few NT4 domain controllers some of which are on WAN links.

Over the past 24-48 hours, we have suddenly gotten a lot of complaints that user accounts are being locked out even though the users have not logged out and logged back in. People who have just been working at their workstation all day without any logon or logout events suddenly have locked accounts in the AD-users and computers MMC.

All the domain controllers in the Headquarters building are getting their time from a GPS radio clock which is still working and serving SNTP. Has anyone run into something like this

Thank you.

0
Comment
Question by:vg30e
9 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10707329
Set up auditing to track who's trying to guess others passwords.

HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech

Windows 2000 Server Security Guidelines - Audit acconts
http://www.colorado.edu/its/windows2000/adminguide/w2ksecguidelines.html#localpolicy

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html

Cybersafe Centrax Log Analyst Named Essential Microsoft Windows 2000 Security Utility
http://www.cybersafe.com/centrax/cla1.html

Event Log View EVT - analysis tool for rapid search through 64 archived logs
http://www.engagent.com/products/productsinfo.asp?product=event+log+view+evt

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10707339
Could be a keylogger/spyware....

SpyChecker detects keyloggers, Adware and web bugs
http://www.google.com/custom?q=&sa=Search+this+site&cof=LW%3A108%3BL%3Ahttp%3A%2F%2Fwww.spychecker.com%2Fimages%2Fspycheckerlogo.gif%3BLH%3A110%3BBGC%3A%23ffffff%3BAH%3Aleft%3BS%3Ahttp%3A%2F%2Fwww.spychecker.com%3BAWFID%3A4c8d14e1b186d0da%3B&domains=www.spychecker.com&sitesearch=www.spychecker.com

Spybot:
http://security.kolla.de/index.php

Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/

SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm

Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/

Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10707362
BAT.Boohoo.Worm is a collection of batch files and utilities that copies itself across network shares that have weak administrator passwords. The worm establishes backdoor access to a compromised system using IRC on the IRC server port 6666 or 7000.

http://securityresponse.symantec.com/avcenter/venc/data/bat.boohoo.worm.html
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 8

Expert Comment

by:smeek
ID: 10714333
Are there any commanilties between the users getting locked out?  Certain groups or users, Windows 95 workstations, other?

Steve
0
 

Author Comment

by:vg30e
ID: 10931837
Someone set bad account tries to 1 attempt while I was out on vacation

Please close question
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967217
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967224
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9

0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 11468873
PAQed, with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question