[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

SBS Server 2003 Accounts Locked Out

Posted on 2009-05-20
14
Medium Priority
?
317 Views
Last Modified: 2012-05-07
I've got a serious problem on my hands, this morning a couple of users have been getting a message saying their account is locked out. In AD it does not show as being locked out. I've had to reset the password and everything goes through fine. SOme users Outlook is also prompting for their username and password again???
0
Comment
Question by:takwirirar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
14 Comments
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430351
Can you check with the FSMO roles and is this server a GC as well ?
Is there any other DC in the AD forest ?
Is there any GP that is not working and errors in the App or Sys logs on the server ?
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430395
Actually I've checked again in AD, I was using RSAT before. There isnt another DC. IT is a GC Server and that where Exchange sits.

I havent applied any new GP's

I've got this error in eventvwr

The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430456
I cant view my GP settings on the server but can through RSAT??
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430461
humm by default its 3 and if someone is putting the wrong password for 3 times his account would be locked. Is there any disk errors in the Sys log.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430476
No disk errors in the sys log, at least 75% of all accounts are locked out, im sure they all didnt enter the wrong password
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430491
Would be fine if you could restart the SBS server as the account lockout is looked by the PDC emulator role server or the GC.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430535
Cant restart the server now since people are working.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430566
No issues try this after production hours and verify.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24431098
Hi things have progressed, the accounts I unlocked earlier have been locked out again! Could someone be trying a brute force on my domain. I have no way of checking this please help!
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24431213
no idea but would recommend you to once reboot the server as accounts are getting locked any way and for security i have no idea how to check that.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24432181
I found the reason, I have thousands of entries saying the following

Pre-authentication failed:
       User Name:      Administrator
       User ID:            domain\administrator
       Service Name:      krbtgt/domain
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      192.168.1.96

What could be causing this PC to want to authenticate so many times with different user accounts?
0
 
LVL 65

Accepted Solution

by:
Mestha earned 1500 total points
ID: 24432544
That sounds like a BOT is running.
Find that machine, shut it down. See whether that stops the account lock outs.

The administrator account is the usual target as it doesn't lock out.

Simon.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24438522
Were you able to resolve the issue.
0
 
LVL 1

Author Closing Comment

by:takwirirar
ID: 31583445
The PC's without up to date AV were the ones botting, however the only 2 vista machines are still botting but not as often
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question