Khan Rahman
asked on
Account Lockout on Main Server
Hi Guys,
Please see event id 539 on our Domain conrtoller. Mnay users are getting that their accouts are locked. Here is a bit of background. We installed a Wireless network and used IAS on the PDC.
Please help
Logon Failure:
Reason: Account locked out
User Name: jliu
Domain: MAR-TOR-DOM
Logon Type: 3
Logon Process: CHAP
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name:
Caller User Name: TORSRV00$
Caller Domain: MAR-TOR-DOM
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 824
Transited Services: -
Source Network Address: -
Source Port: -
Please see event id 539 on our Domain conrtoller. Mnay users are getting that their accouts are locked. Here is a bit of background. We installed a Wireless network and used IAS on the PDC.
Please help
Logon Failure:
Reason: Account locked out
User Name: jliu
Domain: MAR-TOR-DOM
Logon Type: 3
Logon Process: CHAP
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name:
Caller User Name: TORSRV00$
Caller Domain: MAR-TOR-DOM
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 824
Transited Services: -
Source Network Address: -
Source Port: -
Event id 539
hi guys!! you might have been infected with the "conficker worm" which has been in the wild recently..
try to run to the file attached which could help you isolate the problem.
update your servers/machines with the latest patches and antivirus updates.
regards,
Problem-Description-Conficker.pdf
try to run to the file attached which could help you isolate the problem.
update your servers/machines with the latest patches and antivirus updates.
regards,
Problem-Description-Conficker.pdf
Are the accounts being locked out all wireless users authenticating using 802.1X? If so then try stopping IAS and manually enabling the accounts and see if the errors stop, if they do then try having them logon using a wired PC and see if it locks their account or not.
I would look specifically into your authentication and encryption settings in your remote access policies, it possible the event is being generated because of a mis-match there.
Lastly if you have ISA server installed try moving your other policies above it, I had a problem with the ISA policy (which only specifies logon times) causing problems.
I would look specifically into your authentication and encryption settings in your remote access policies, it possible the event is being generated because of a mis-match there.
Lastly if you have ISA server installed try moving your other policies above it, I had a problem with the ISA policy (which only specifies logon times) causing problems.
ASKER
HI SectorX4,
Not only Wireless users but few requalr wired users also getting locked out. But the confusing part is that the log says they are lockout so as the screen on their PC, but when I go to the AD and find the user the accout is not locked out...this button cannot be clicked.
Not only Wireless users but few requalr wired users also getting locked out. But the confusing part is that the log says they are lockout so as the screen on their PC, but when I go to the AD and find the user the accout is not locked out...this button cannot be clicked.
ASKER
Sorry ...plus we do not have ISA
So Active Directory shows them as enabled but you can also not select "Disable" ?
bcoyxp might have a point as that worm will attempt to bruteforce administrator accounts and if you have policies in place for account lockout it could be pushing those limits. If the disable option is greyed out then it could be because the disabling of the account was done by the system not administratively like through AD.
bcoyxp might have a point as that worm will attempt to bruteforce administrator accounts and if you have policies in place for account lockout it could be pushing those limits. If the disable option is greyed out then it could be because the disabling of the account was done by the system not administratively like through AD.
ASKER
The acount lock out is greyed out.....but based on bcoyxp...i will not be able to go to Windows Update..but I can..I just updated the server
The server doesn't necessarily need to be on the server, only on the client PC's which are trying to login to the server.
If your users have their own PC's try scanning the PC's that the users with disabled accounts use.
Is there anything else in the event log out of the ordinary (Make sure to check informational events as well) apart from what you have posted already?
If your users have their own PC's try scanning the PC's that the users with disabled accounts use.
Is there anything else in the event log out of the ordinary (Make sure to check informational events as well) apart from what you have posted already?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The problem was resolved...by installing Windows Updates and changing the session timeout from the WLAN.
ASKER
Logon Failure:
Reason: Account locked out
User Name: JDarnbrough
Domain: MAR-TOR-DOM
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: CLTOR9VWK291-1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.5.157
Source Port: 0