?
Solved

Random Account Lockouts

Posted on 2007-10-16
16
Medium Priority
?
892 Views
Last Modified: 2013-12-05
I have a stand alone server running Windows 2000 Advanced Server. I have random user accounts being locked out. I have had this happen to my own account so I know that it is not user error during logon. Some times I clearing the lockout and by the time I try to logon again within minutes the account is locked out again. Any help will be much appreciated.
0
Comment
Question by:john1p47
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 10

Accepted Solution

by:
archang3l earned 300 total points
ID: 20090945
Hello john1p47,

Check the security event log on the server, this will have detailed events on all logon attempts happening.
Do this by going to Start -> Run -> Eventvwr

You should see a series of failures for the accounts which get locked out. Included in the log entry is also the workstation/service from which the logon is happening, this will allow you to trace down where the failed logon attempts are coming from.

Regards,

archang3l
0
 
LVL 2

Assisted Solution

by:illuzian
illuzian earned 900 total points
ID: 20090947
Try using Account Lockout Examiner from  http://netwrix.com/account_lockout_troubleshooting.html to see why the accounts are being locked out.
0
 

Author Comment

by:john1p47
ID: 20091020
I checked the event log and found that there are several accounts that have the following errors. One account has 139 logon errors from 9:37:58 thru 9:38:43. Souce MSFTPSVC Event 100. The error is

"The server was unable to logon the Windows NT account 'xxxxxx' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp."
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 2

Assisted Solution

by:illuzian
illuzian earned 900 total points
ID: 20091090
0
 

Author Comment

by:john1p47
ID: 20091119
Illuzian thanks for the suggestion. The article suggest upgrading to the latest service pack. I am already upgraded to service pack 4.
0
 

Author Comment

by:john1p47
ID: 20094664
If anyone has any additional suggestions about resolving this issue of random account lockouts I would really appreciate it.
Thanks
0
 
LVL 2

Assisted Solution

by:illuzian
illuzian earned 900 total points
ID: 20097904
0
 
LVL 2

Expert Comment

by:t_hewlett
ID: 20123702
Are all the machines showing the correct time? more then 5 mins out and they will lock out I think
0
 

Author Comment

by:john1p47
ID: 20124156
Thanks to everyone for your help! It turns out that our server is being attacked from an outside source. I'm not sure how the usernames were discovered but at least now I know what to work on. I am planning on giving my customer a new IP address and remove the IP address that is being used to attack the user accounts off line. If anyone has a different solution I would really appreciate the input.
Thanks again to everyone for the help.
0
 
LVL 2

Expert Comment

by:t_hewlett
ID: 20124317
Do you not have a firewall you can block the incoming port or ip address
0
 

Author Comment

by:john1p47
ID: 20124407
I do have a firewall but the security log does not give the incoming IP address it only has the domain listed as CICFTPSERVER and workstation listed as CICFTPSERVER.
0
 
LVL 2

Assisted Solution

by:t_hewlett
t_hewlett earned 300 total points
ID: 20125325
the host name should resolve to an arp command can you ping the machine and get a reply if so open a command box and type arp -a this should list the most recent arp cache so make sure you ping and use the arp command quickly.. From the arp command you shloud get a MAC for the machine and this can then be blocked.

0
 

Author Comment

by:john1p47
ID: 20125635
Thanks t_hewlett, when I try to ping the domain name I get "Unkown Host".
0
 
LVL 2

Expert Comment

by:t_hewlett
ID: 20126099
Bit of a mare this I guess to get the MAC you may need disable your firewall, which is not the sort of thing you should do, and it may still not resolve. Looks like the IP change is the easy option. Sorry failed on this one ;-(
0
 

Author Comment

by:john1p47
ID: 20126340
No problem I appreciate the time you spent on this for me!
0
 
LVL 2

Expert Comment

by:t_hewlett
ID: 20128870
What about asking you isp to block the machine on there routers or firewall? Any way good luck what ever you do
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question