?
Solved

Troubleshooting Methods

Posted on 2005-05-17
6
Medium Priority
?
269 Views
Last Modified: 2013-12-04
One of the domain users complains that his account is randomly locked out from time to time.
There are no drives mapped on his workstation and he cannot identify the pattern.
Could you direct to a troubleshooting web page or give some ideas of what could be checked for this sort of problem?
This would speed up the solution by saving on the research time.

Thank You.

0
Comment
Question by:sstouk
  • 3
  • 3
6 Comments
 
LVL 5

Expert Comment

by:dr_binks
ID: 14021007
erm.. the account lockout shoudl be caused by a number of unsuccessful login attempts. I was reading a file fromt he MS bulletin that said if users frequantly get account lockouts.. say when they start.. work then it might be malware on the system trying to 'crack' accounts.
0
 
LVL 6

Author Comment

by:sstouk
ID: 14022358
I understand that there might be multiple reasons as you indicated - that was why I created this question.
Is there any monitoring that I could enable to catch where the lockount comes from and from what application or process?
What would you do if the user tells you the account is locked out periodically and for no reason and there are no mappings existing or remembered on his PC?
What monitoring tools would you use to catch this?
What is someone (just as an example) put a script anywhere on the domain, using his login name with incorrect password - we have  3000+ Domain users here...
How would you catch that?
Obviously, I would start with checking the Security event log on all Domain Controllers (we have 12)... which is quite a work to be done...
Do you have any suggesstions or know of any existing methods of troubleshooting this kind of problem?
Thanks.
0
 
LVL 5

Accepted Solution

by:
dr_binks earned 750 total points
ID: 14022936
if somone told me that their account was being locked out and the drive mappings are screwed; I would do diagnostics on the domain controllers, and fileserver(s) and ask the user to log off, restart the PC and login again. Failing that I would analys all the traffic on the network using somthing like www.ethereal.com or http://www.asl-fluke.co.uk/network_inspector/ (an expensive but prefered method -- not the hand held device but the monitoring software).

Now dont take my word for this.. I am in no means an "expert" in networking, I have only been a net admin for the company I work at scince last september and I have had no formal training. To train myself I read every article on networking and network security I can lay my hands on (usually microsoft bulletins an such) and they all say that a "guru" network admin will be constantly monitoring the traffic and know what "normal" network traffic looks like on his/her and that the "guru" network admin would not configure account lockouts in GPOs to save on 'help desk support' and malware will be spottedin routine taffic monitoring.

One last thing,to quote an article on network security I read... "if your network has been compromised, you cannot trust your auditing logs".

I hope this helps

~Binks
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 6

Author Comment

by:sstouk
ID: 14180990
Thanks.
We have solved the problem by generating a report based on the Security Event Log from every domain controller that we have.
We installed Microsoft Operations Manager 2005 in our environment and created a rule to catch any account locks.
Each event goes into the MS SQL Database and I created a script, which parses the MOM 2005 database and generates daily reports on the multiple different security events, "Account Lockouts, Login Failures, Membership changes etc". Overall around 50 or so reports.
These could be analyzed and checked as to the source of the problem, because each log record lists the IP address from where the lockout was generated and the attempted user name, type of the logon and the process, generated an event.

It gives enough information to troubleshoot and find the cause of the lockouts.

Thank you for your attention to this question.
0
 
LVL 5

Expert Comment

by:dr_binks
ID: 14182695
did you actually find the cause of the problem?
0
 
LVL 6

Author Comment

by:sstouk
ID: 14184327
The eventlogs rolled over and there is no way to see the possible causes at this time.
The current security audit system that we implemented, should allow us to have the data in hands when this happens again.
I am waiting for the problem  to re-appear to analyze it.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
OfficeMate Freezes on login or does not load after login credentials are input.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question