?
Solved

SBS Server 2003 Accounts Locked Out

Posted on 2009-05-20
14
Medium Priority
?
324 Views
Last Modified: 2012-05-07
I've got a serious problem on my hands, this morning a couple of users have been getting a message saying their account is locked out. In AD it does not show as being locked out. I've had to reset the password and everything goes through fine. SOme users Outlook is also prompting for their username and password again???
0
Comment
Question by:takwirirar
  • 7
  • 6
14 Comments
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430351
Can you check with the FSMO roles and is this server a GC as well ?
Is there any other DC in the AD forest ?
Is there any GP that is not working and errors in the App or Sys logs on the server ?
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430395
Actually I've checked again in AD, I was using RSAT before. There isnt another DC. IT is a GC Server and that where Exchange sits.

I havent applied any new GP's

I've got this error in eventvwr

The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430456
I cant view my GP settings on the server but can through RSAT??
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430461
humm by default its 3 and if someone is putting the wrong password for 3 times his account would be locked. Is there any disk errors in the Sys log.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430476
No disk errors in the sys log, at least 75% of all accounts are locked out, im sure they all didnt enter the wrong password
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430491
Would be fine if you could restart the SBS server as the account lockout is looked by the PDC emulator role server or the GC.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430535
Cant restart the server now since people are working.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430566
No issues try this after production hours and verify.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24431098
Hi things have progressed, the accounts I unlocked earlier have been locked out again! Could someone be trying a brute force on my domain. I have no way of checking this please help!
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24431213
no idea but would recommend you to once reboot the server as accounts are getting locked any way and for security i have no idea how to check that.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24432181
I found the reason, I have thousands of entries saying the following

Pre-authentication failed:
       User Name:      Administrator
       User ID:            domain\administrator
       Service Name:      krbtgt/domain
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      192.168.1.96

What could be causing this PC to want to authenticate so many times with different user accounts?
0
 
LVL 65

Accepted Solution

by:
Mestha earned 1500 total points
ID: 24432544
That sounds like a BOT is running.
Find that machine, shut it down. See whether that stops the account lock outs.

The administrator account is the usual target as it doesn't lock out.

Simon.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24438522
Were you able to resolve the issue.
0
 
LVL 1

Author Closing Comment

by:takwirirar
ID: 31583445
The PC's without up to date AV were the ones botting, however the only 2 vista machines are still botting but not as often
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question