skbarnard
asked on
account lock outs
We've been experiencing account lock outs in our Active Directory - acting like bad password attempts. We've looked at the event viewer on the Domain Controller in question and the failure audits occur within 2-3 seconds for the same user. I don't think any user could type their password incorrectly that many times to lock their account out that quickly. Has anyone else ever experienced a problem with account lock outs but the user didn't fail typing in their password?
This also seems to affect the synchronization of our user's PDA phones - if the account is locked out, the password is then not supplied and the synchronization won't occur
This also seems to affect the synchronization of our user's PDA phones - if the account is locked out, the password is then not supplied and the synchronization won't occur
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There can also be an issue where an application is trying to submit a saved password repeatedly, if the saved password it was trying to submit was wrong, then the issue you describe could occur.
ASKER
It appears we may have a variant of the Conflicker virus which we're currently working to erraticate. Thanks to all who have answered and I will post whether this was the actual issue once we've cleaned the suspect computers
Oh man good luck on that, luckily we haven't been hit with conficker yet....knock on wood.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It appears we did have a variant of the Confliker worm that attacks Active Directory. We have blocked ports of the suspect computers but then the users will plug the computer into another port so we've had to chase the rabbit a little bit. As we approach the finish, the lockouts are happening less frequently. Thanks to all who contributed.
It looks like we are having this same issue now and we did have a run in with Conficker around this time frame. Do you know which variant it was?
Thanks
Ed
Thanks
Ed
ASKER
Sorry, I can't remember the variant. We've been now having a run in with Qbot - here are a few of the variants: JS_QAKBOT.BOJ, BKDR_QAKBOT.DAM, BKDR_QAKBOT.SME, BKDR_QAKBOT.SMC, TROJ_QAKJOB.SM, BKDR_QAKBOT.NEG, BKDR_QAKBOT.SMZP, BKDR_QAKBOT.EOF. This is a nasty root kit that infects the root drive (infected files look like gibberish == i.e. ixektqf) and you'll find an unauthorized scheduled task (or tasks) but also grabs accounts and tries to login as that user. Kill the scheduled tasks and delete all files that look like gibberish. The good news is that if the account locks out, the virus was UNsuccessful at logging in. Bad news is, the account still locks out.
ASKER
We've done a scan on the machine in question using our anti-virus client (OfficeScan -- Trend Micro) and no virus or malware was detected. We're now looking to see if there are some incompatibilities with Active Directory and OfficeScan version 10.0. If your or anyone out there knows of any issues with that, your response(s) would be greatly appreciated.