Password Locking!!!

Running Windows servers with Windows AD.  Primary AD server wi Windows 2003.  I have certain users that their passwords gets getiing locked out.  Verified with them and they are certain they are typing it correctly.  Did the same thing to me.  Does anybody have any ideas as to what is going?

As always, thank you for your time on this matter.
CVCB-NetAdminAsked:
Who is Participating?
 
GenexenConnect With a Mentor Commented:
I have seen this only once before.  The affected user (the CEO of the company) was lending his laptop to his kids over the weekends.  As a result, trojan/zombies were being installed - either on purpose or via ignorance - and in turn the system was being used via remote control to try and brute force the CEO's domain password.  This is how I tracked it:

1.  Same as you, the CEO's account kept getting locked for failed logon attempts.
2.  Viewing the security log on the DC (security event auditing was enabled) showed all the failed attempts coming from his laptop.
3.  Running netstat from his laptop showed some suspicious connections (6667-IRC was established out to an Internet host).
4.  Viewing the active processes in taskman gave the executable to the trojan.
5.  Safe mode deleted the trojan, and regedit cleared out all references to keep the trojan from relaunching.

Hopefully this helps you.  Also try the obvious like making sure antivirus is uptodate and scanning regularly/realtime.  Also do a spyware scan (ad-awre, spybot search & destroy, MS anti spyware beta, etc.).
0
 
cjinsocal581Commented:
Here is an article I provide a lot of companies that was provided by the NSA: http://secureconditions.com/articles/NetworkSecurityGuidelinesNSA.pdf

Good luck and stay secure.

CJ
0
 
boywajaCommented:
Check your security event log to see what computer is locking him them out.  Sometimes people leave themselves logged into secondary machines and dont remember it when they change the password.  If it is his own machine where the lockout is occuring, then you need to look at .  If it is his own machine, than you probably know what applications he might be using and stored a domain password.  If you use Sharepoint, check his browsers.  Same with Outlook Web Access.  I've been busted with a ldap client in which I've saved credentials.  

Microsoft has a few tools that may be helpful over at http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en 
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.