?
Solved

SBS Server 2003 Accounts Locked Out

Posted on 2009-05-20
14
Medium Priority
?
307 Views
Last Modified: 2012-05-07
I've got a serious problem on my hands, this morning a couple of users have been getting a message saying their account is locked out. In AD it does not show as being locked out. I've had to reset the password and everything goes through fine. SOme users Outlook is also prompting for their username and password again???
0
Comment
Question by:takwirirar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
14 Comments
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430351
Can you check with the FSMO roles and is this server a GC as well ?
Is there any other DC in the AD forest ?
Is there any GP that is not working and errors in the App or Sys logs on the server ?
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430395
Actually I've checked again in AD, I was using RSAT before. There isnt another DC. IT is a GC Server and that where Exchange sits.

I havent applied any new GP's

I've got this error in eventvwr

The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430456
I cant view my GP settings on the server but can through RSAT??
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430461
humm by default its 3 and if someone is putting the wrong password for 3 times his account would be locked. Is there any disk errors in the Sys log.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430476
No disk errors in the sys log, at least 75% of all accounts are locked out, im sure they all didnt enter the wrong password
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430491
Would be fine if you could restart the SBS server as the account lockout is looked by the PDC emulator role server or the GC.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430535
Cant restart the server now since people are working.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430566
No issues try this after production hours and verify.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24431098
Hi things have progressed, the accounts I unlocked earlier have been locked out again! Could someone be trying a brute force on my domain. I have no way of checking this please help!
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24431213
no idea but would recommend you to once reboot the server as accounts are getting locked any way and for security i have no idea how to check that.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24432181
I found the reason, I have thousands of entries saying the following

Pre-authentication failed:
       User Name:      Administrator
       User ID:            domain\administrator
       Service Name:      krbtgt/domain
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      192.168.1.96

What could be causing this PC to want to authenticate so many times with different user accounts?
0
 
LVL 65

Accepted Solution

by:
Mestha earned 1500 total points
ID: 24432544
That sounds like a BOT is running.
Find that machine, shut it down. See whether that stops the account lock outs.

The administrator account is the usual target as it doesn't lock out.

Simon.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24438522
Were you able to resolve the issue.
0
 
LVL 1

Author Closing Comment

by:takwirirar
ID: 31583445
The PC's without up to date AV were the ones botting, however the only 2 vista machines are still botting but not as often
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses
Course of the Month11 days, 20 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question