[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Random Account Lockouts

Posted on 2009-06-29
7
Medium Priority
?
686 Views
Last Modified: 2012-05-07
This morning I have had about 5 users complain that their accounts were locked out but they were certain they keyed their passwords in correctly.  Of course being the typical IT guy I figured my end-uses were crazy.  Funny thing was though it happened to me about 10 minutes ago.  I logged onto my PC without any problems this morning.  After logging in I tried to access a file on SharePoint and it told me I didn't have rights.  I went and looked and my account was locked out.

My first step was to look at the event viewers and I noticed an error the was recurring consistently:  EventID 12294.  The SAM database was unable to lockout the account of administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

I checked and my Domain Administrator Account was locked out.  I unlocked it and within about 5 seconds it was locked out again.  Is there anyway to tell what is causing these issues?
0
Comment
Question by:neptuneit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24735851
Sounds like a possible conficker (or downadup) infection. One symptom of this is random lockout events for no apparent reason.
Update your virus definitions and run some scans. The source of the infection could be attempting to log on to network shares, casuing the lockouts.
There are a number of removal tools available - google 'conficker removal' and follow the steps to detect and repair this sort of infection.
0
 
LVL 1

Author Comment

by:neptuneit
ID: 24735871
Does Active Directory log where the attempts are coming from by any chance?  This would help me narrow down the source of the problem?
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 1200 total points
ID: 24735876
Also have a check of your DC security event logs to determine the logon type which is causing the account lockouts. You may also get the source machine from which the bad logons are coming from...
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 27

Expert Comment

by:bluntTony
ID: 24735884
Look like our posts just crossed :-)
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 800 total points
ID: 24735911
You may also want to have a look at this: http://support.microsoft.com/kb/887433
I had an incident recently where Conficker was causing this problem.

There is an MS Patch: http://support.microsoft.com/kb/958644
Also make sure your virus protection is bang upto date and do a full system scan.

We had to use Group Policies to disable Autorun feature, it was also creating tasks in the scheduled task avery hour and they were called A1, A2, A3 etc, again we disabled the task scheduler in Grou Policy until we were able to full disinfect.
0
 
LVL 1

Author Comment

by:neptuneit
ID: 24735944
What particular type EventID should I be looking for in the DC Security logs?
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 1200 total points
ID: 24735991
It could at this stage be a number of event IDs. Filter the security log on failure events then look through these.
Check the source computer, and the logon type code. Reference for type codes...
http://www.windowsecurity.com/articles/Logon-Types.html 
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question