Solved

SBS Server 2003 Accounts Locked Out

Posted on 2009-05-20
14
288 Views
Last Modified: 2012-05-07
I've got a serious problem on my hands, this morning a couple of users have been getting a message saying their account is locked out. In AD it does not show as being locked out. I've had to reset the password and everything goes through fine. SOme users Outlook is also prompting for their username and password again???
0
Comment
Question by:takwirirar
  • 7
  • 6
14 Comments
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430351
Can you check with the FSMO roles and is this server a GC as well ?
Is there any other DC in the AD forest ?
Is there any GP that is not working and errors in the App or Sys logs on the server ?
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430395
Actually I've checked again in AD, I was using RSAT before. There isnt another DC. IT is a GC Server and that where Exchange sits.

I havent applied any new GP's

I've got this error in eventvwr

The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430456
I cant view my GP settings on the server but can through RSAT??
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430461
humm by default its 3 and if someone is putting the wrong password for 3 times his account would be locked. Is there any disk errors in the Sys log.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430476
No disk errors in the sys log, at least 75% of all accounts are locked out, im sure they all didnt enter the wrong password
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430491
Would be fine if you could restart the SBS server as the account lockout is looked by the PDC emulator role server or the GC.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24430535
Cant restart the server now since people are working.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24430566
No issues try this after production hours and verify.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24431098
Hi things have progressed, the accounts I unlocked earlier have been locked out again! Could someone be trying a brute force on my domain. I have no way of checking this please help!
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24431213
no idea but would recommend you to once reboot the server as accounts are getting locked any way and for security i have no idea how to check that.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 24432181
I found the reason, I have thousands of entries saying the following

Pre-authentication failed:
       User Name:      Administrator
       User ID:            domain\administrator
       Service Name:      krbtgt/domain
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      192.168.1.96

What could be causing this PC to want to authenticate so many times with different user accounts?
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24432544
That sounds like a BOT is running.
Find that machine, shut it down. See whether that stops the account lock outs.

The administrator account is the usual target as it doesn't lock out.

Simon.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24438522
Were you able to resolve the issue.
0
 
LVL 1

Author Closing Comment

by:takwirirar
ID: 31583445
The PC's without up to date AV were the ones botting, however the only 2 vista machines are still botting but not as often
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article runs through the process of deploying a single EXE application selectively to a group of user.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question