Solved

Random Account Lockouts

Posted on 2009-06-29
7
677 Views
Last Modified: 2012-05-07
This morning I have had about 5 users complain that their accounts were locked out but they were certain they keyed their passwords in correctly.  Of course being the typical IT guy I figured my end-uses were crazy.  Funny thing was though it happened to me about 10 minutes ago.  I logged onto my PC without any problems this morning.  After logging in I tried to access a file on SharePoint and it told me I didn't have rights.  I went and looked and my account was locked out.

My first step was to look at the event viewers and I noticed an error the was recurring consistently:  EventID 12294.  The SAM database was unable to lockout the account of administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

I checked and my Domain Administrator Account was locked out.  I unlocked it and within about 5 seconds it was locked out again.  Is there anyway to tell what is causing these issues?
0
Comment
Question by:neptuneit
  • 4
  • 2
7 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24735851
Sounds like a possible conficker (or downadup) infection. One symptom of this is random lockout events for no apparent reason.
Update your virus definitions and run some scans. The source of the infection could be attempting to log on to network shares, casuing the lockouts.
There are a number of removal tools available - google 'conficker removal' and follow the steps to detect and repair this sort of infection.
0
 
LVL 1

Author Comment

by:neptuneit
ID: 24735871
Does Active Directory log where the attempts are coming from by any chance?  This would help me narrow down the source of the problem?
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 300 total points
ID: 24735876
Also have a check of your DC security event logs to determine the logon type which is causing the account lockouts. You may also get the source machine from which the bad logons are coming from...
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 27

Expert Comment

by:bluntTony
ID: 24735884
Look like our posts just crossed :-)
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 200 total points
ID: 24735911
You may also want to have a look at this: http://support.microsoft.com/kb/887433
I had an incident recently where Conficker was causing this problem.

There is an MS Patch: http://support.microsoft.com/kb/958644
Also make sure your virus protection is bang upto date and do a full system scan.

We had to use Group Policies to disable Autorun feature, it was also creating tasks in the scheduled task avery hour and they were called A1, A2, A3 etc, again we disabled the task scheduler in Grou Policy until we were able to full disinfect.
0
 
LVL 1

Author Comment

by:neptuneit
ID: 24735944
What particular type EventID should I be looking for in the DC Security logs?
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 300 total points
ID: 24735991
It could at this stage be a number of event IDs. Filter the security log on failure events then look through these.
Check the source computer, and the logon type code. Reference for type codes...
http://www.windowsecurity.com/articles/Logon-Types.html
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now