Error 680, 675 and 539.... User getting locked out. Am I getting hacked?
Posted on 2008-06-20
User changed his pw at home over VPN for windows account via ctrl + alt + del. That was on Monday. Ever since, he has been getting locked out randomly. Today it has become every 5 - 10 min. I am constantly seeing the Errors listed in the title in both of our DC's as well as our Exchange server. About 60% of the failure events in the DC's point to his machine, 35% to our Exchange server, and the other 5% has no computer name. On the Exchange server (also server 03 just like the DC's) about 50% are coming from that server, and the other 50% are either unknown or are coming from a server/puter named "Hosted12". I have never heard of Hosted12 in our network and when looking at some of the logs I get a public IP for this that comes from rr.com (I think Road Runner). This could however be a blackberry plugin 3rd party service that we use to use for getting email to our blackberry users, but I doubt it.
How can I verify what is going on and overall rectify this whole situation. I am somewhat new to the server world, so I may need a little coaching here...
Also, to add to the confusion, while troubleshooting (and only while troubleshooting) I set a group policy to keep this user from locking out, however the user continue to get locked out....all of the rest of the gp's work so I am fairly sure that I am blocking inheritance policies correct.
I really need some quick help on this please!!!