David C
asked on
SBS Server 2003 Accounts Locked Out
I've got a serious problem on my hands, this morning a couple of users have been getting a message saying their account is locked out. In AD it does not show as being locked out. I've had to reset the password and everything goes through fine. SOme users Outlook is also prompting for their username and password again???
ASKER
Actually I've checked again in AD, I was using RSAT before. There isnt another DC. IT is a GC Server and that where Exchange sits.
I havent applied any new GP's
I've got this error in eventvwr
The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
I havent applied any new GP's
I've got this error in eventvwr
The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
ASKER
I cant view my GP settings on the server but can through RSAT??
humm by default its 3 and if someone is putting the wrong password for 3 times his account would be locked. Is there any disk errors in the Sys log.
ASKER
No disk errors in the sys log, at least 75% of all accounts are locked out, im sure they all didnt enter the wrong password
Would be fine if you could restart the SBS server as the account lockout is looked by the PDC emulator role server or the GC.
ASKER
Cant restart the server now since people are working.
No issues try this after production hours and verify.
ASKER
Hi things have progressed, the accounts I unlocked earlier have been locked out again! Could someone be trying a brute force on my domain. I have no way of checking this please help!
no idea but would recommend you to once reboot the server as accounts are getting locked any way and for security i have no idea how to check that.
ASKER
I found the reason, I have thousands of entries saying the following
Pre-authentication failed:
User Name: Administrator
User ID: domain\administrator
Service Name: krbtgt/domain
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 192.168.1.96
What could be causing this PC to want to authenticate so many times with different user accounts?
Pre-authentication failed:
User Name: Administrator
User ID: domain\administrator
Service Name: krbtgt/domain
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 192.168.1.96
What could be causing this PC to want to authenticate so many times with different user accounts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Were you able to resolve the issue.
ASKER
The PC's without up to date AV were the ones botting, however the only 2 vista machines are still botting but not as often
Is there any other DC in the AD forest ?
Is there any GP that is not working and errors in the App or Sys logs on the server ?