• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 898
  • Last Modified:

Random Account Lockouts

I have a stand alone server running Windows 2000 Advanced Server. I have random user accounts being locked out. I have had this happen to my own account so I know that it is not user error during logon. Some times I clearing the lockout and by the time I try to logon again within minutes the account is locked out again. Any help will be much appreciated.
0
john1p47
Asked:
john1p47
  • 7
  • 5
  • 3
  • +1
5 Solutions
 
archang3lCommented:
Hello john1p47,

Check the security event log on the server, this will have detailed events on all logon attempts happening.
Do this by going to Start -> Run -> Eventvwr

You should see a series of failures for the accounts which get locked out. Included in the log entry is also the workstation/service from which the logon is happening, this will allow you to trace down where the failed logon attempts are coming from.

Regards,

archang3l
0
 
illuzianCommented:
Try using Account Lockout Examiner from  http://netwrix.com/account_lockout_troubleshooting.html to see why the accounts are being locked out.
0
 
john1p47Author Commented:
I checked the event log and found that there are several accounts that have the following errors. One account has 139 logon errors from 9:37:58 thru 9:38:43. Souce MSFTPSVC Event 100. The error is

"The server was unable to logon the Windows NT account 'xxxxxx' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp."
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
illuzianCommented:
0
 
john1p47Author Commented:
Illuzian thanks for the suggestion. The article suggest upgrading to the latest service pack. I am already upgraded to service pack 4.
0
 
john1p47Author Commented:
If anyone has any additional suggestions about resolving this issue of random account lockouts I would really appreciate it.
Thanks
0
 
t_hewlettCommented:
Are all the machines showing the correct time? more then 5 mins out and they will lock out I think
0
 
john1p47Author Commented:
Thanks to everyone for your help! It turns out that our server is being attacked from an outside source. I'm not sure how the usernames were discovered but at least now I know what to work on. I am planning on giving my customer a new IP address and remove the IP address that is being used to attack the user accounts off line. If anyone has a different solution I would really appreciate the input.
Thanks again to everyone for the help.
0
 
t_hewlettCommented:
Do you not have a firewall you can block the incoming port or ip address
0
 
john1p47Author Commented:
I do have a firewall but the security log does not give the incoming IP address it only has the domain listed as CICFTPSERVER and workstation listed as CICFTPSERVER.
0
 
t_hewlettCommented:
the host name should resolve to an arp command can you ping the machine and get a reply if so open a command box and type arp -a this should list the most recent arp cache so make sure you ping and use the arp command quickly.. From the arp command you shloud get a MAC for the machine and this can then be blocked.

0
 
john1p47Author Commented:
Thanks t_hewlett, when I try to ping the domain name I get "Unkown Host".
0
 
t_hewlettCommented:
Bit of a mare this I guess to get the MAC you may need disable your firewall, which is not the sort of thing you should do, and it may still not resolve. Looks like the IP change is the easy option. Sorry failed on this one ;-(
0
 
john1p47Author Commented:
No problem I appreciate the time you spent on this for me!
0
 
t_hewlettCommented:
What about asking you isp to block the machine on there routers or firewall? Any way good luck what ever you do
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 7
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now