Solved

SBS Server 2003 Accounts Locked Out

Posted on 2009-05-20
14
286 Views
Last Modified: 2012-05-07
I've got a serious problem on my hands, this morning a couple of users have been getting a message saying their account is locked out. In AD it does not show as being locked out. I've had to reset the password and everything goes through fine. SOme users Outlook is also prompting for their username and password again???
0
Comment
Question by:takwirirar
  • 7
  • 6
14 Comments
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430351
Can you check with the FSMO roles and is this server a GC as well ?
Is there any other DC in the AD forest ?
Is there any GP that is not working and errors in the App or Sys logs on the server ?
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430395
Actually I've checked again in AD, I was using RSAT before. There isnt another DC. IT is a GC Server and that where Exchange sits.

I havent applied any new GP's

I've got this error in eventvwr

The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430456
I cant view my GP settings on the server but can through RSAT??
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430461
humm by default its 3 and if someone is putting the wrong password for 3 times his account would be locked. Is there any disk errors in the Sys log.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430476
No disk errors in the sys log, at least 75% of all accounts are locked out, im sure they all didnt enter the wrong password
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430491
Would be fine if you could restart the SBS server as the account lockout is looked by the PDC emulator role server or the GC.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430535
Cant restart the server now since people are working.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430566
No issues try this after production hours and verify.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24431098
Hi things have progressed, the accounts I unlocked earlier have been locked out again! Could someone be trying a brute force on my domain. I have no way of checking this please help!
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24431213
no idea but would recommend you to once reboot the server as accounts are getting locked any way and for security i have no idea how to check that.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24432181
I found the reason, I have thousands of entries saying the following

Pre-authentication failed:
       User Name:      Administrator
       User ID:            domain\administrator
       Service Name:      krbtgt/domain
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      192.168.1.96

What could be causing this PC to want to authenticate so many times with different user accounts?
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24432544
That sounds like a BOT is running.
Find that machine, shut it down. See whether that stops the account lock outs.

The administrator account is the usual target as it doesn't lock out.

Simon.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24438522
Were you able to resolve the issue.
0
 
LVL 1

Author Closing Comment

by:takwirirar
ID: 31583445
The PC's without up to date AV were the ones botting, however the only 2 vista machines are still botting but not as often
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now