Password Locking!!!

Posted on 2005-04-09
Last Modified: 2010-08-05
Running Windows servers with Windows AD.  Primary AD server wi Windows 2003.  I have certain users that their passwords gets getiing locked out.  Verified with them and they are certain they are typing it correctly.  Did the same thing to me.  Does anybody have any ideas as to what is going?

As always, thank you for your time on this matter.
Question by:CVCB-NetAdmin
    LVL 5

    Accepted Solution

    I have seen this only once before.  The affected user (the CEO of the company) was lending his laptop to his kids over the weekends.  As a result, trojan/zombies were being installed - either on purpose or via ignorance - and in turn the system was being used via remote control to try and brute force the CEO's domain password.  This is how I tracked it:

    1.  Same as you, the CEO's account kept getting locked for failed logon attempts.
    2.  Viewing the security log on the DC (security event auditing was enabled) showed all the failed attempts coming from his laptop.
    3.  Running netstat from his laptop showed some suspicious connections (6667-IRC was established out to an Internet host).
    4.  Viewing the active processes in taskman gave the executable to the trojan.
    5.  Safe mode deleted the trojan, and regedit cleared out all references to keep the trojan from relaunching.

    Hopefully this helps you.  Also try the obvious like making sure antivirus is uptodate and scanning regularly/realtime.  Also do a spyware scan (ad-awre, spybot search & destroy, MS anti spyware beta, etc.).
    LVL 6

    Expert Comment

    Here is an article I provide a lot of companies that was provided by the NSA:

    Good luck and stay secure.

    LVL 4

    Expert Comment

    Check your security event log to see what computer is locking him them out.  Sometimes people leave themselves logged into secondary machines and dont remember it when they change the password.  If it is his own machine where the lockout is occuring, then you need to look at .  If it is his own machine, than you probably know what applications he might be using and stored a domain password.  If you use Sharepoint, check his browsers.  Same with Outlook Web Access.  I've been busted with a ldap client in which I've saved credentials.  

    Microsoft has a few tools that may be helpful over at

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now