adml_shake
asked on
Account being locked out ever few minutes
We are using WIndows 03 on a domain, with all the users using XP machines. On Friday, one of our users changed her password and now something is causing her account to be locked out on the local DC ever few moments. She's not an outlook user, and other than mapped drives there isn't any other reason we can think of that her PC should be trying to log on to the server so often. Is there a service or something that uses credentials to talk to the server that I don't know about?
Have you seen any security audit entries in eventvwr for this user?
ASKER
Here is the output I got from running that for a few moments (it didn't take long to disable the account
There was more, but it basically just repeated this over and over. Thanks for the help.
1692] 11:07:57: Denying dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1279
Local subnet only: False
[1692] 11:07:57: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.
[1692] 11:07:57: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:07:57: Removing dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1279
Local subnet only: False
[1688] 11:08:01: Denying dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1280
Local subnet only: False
[1688] 11:08:01: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.
[1688] 11:08:01: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:01: Removing dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1280
Local subnet only: False
[396] 11:08:02: Denying dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1281
Local subnet only: False
[396] 11:08:02: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.
[396] 11:08:02: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:02: Removing dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1281
Local subnet only: False
[1692] 11:08:07: Denying dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1282
Local subnet only: False
[1692] 11:08:07: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.
[1692] 11:08:07: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:07: Removing dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1282
Local subnet only: False
[1688] 11:08:12: Denying dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1283
Local subnet only: False
[1688] 11:08:12: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.
[1688] 11:08:12: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:12: Removing dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1283
Local subnet only: False
[396] 11:08:17: Denying dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1284
Local subnet only: False
[396] 11:08:17: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.
[396] 11:08:17: FwNotifyOnDeny: Wildcarded UDP port.
There was more, but it basically just repeated this over and over. Thanks for the help.
1692] 11:07:57: Denying dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1279
Local subnet only: False
[1692] 11:07:57: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.
[1692] 11:07:57: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:07:57: Removing dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1279
Local subnet only: False
[1688] 11:08:01: Denying dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1280
Local subnet only: False
[1688] 11:08:01: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.
[1688] 11:08:01: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:01: Removing dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1280
Local subnet only: False
[396] 11:08:02: Denying dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1281
Local subnet only: False
[396] 11:08:02: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.
[396] 11:08:02: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:02: Removing dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1281
Local subnet only: False
[1692] 11:08:07: Denying dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1282
Local subnet only: False
[1692] 11:08:07: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.
[1692] 11:08:07: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:07: Removing dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1282
Local subnet only: False
[1688] 11:08:12: Denying dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1283
Local subnet only: False
[1688] 11:08:12: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.
[1688] 11:08:12: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:12: Removing dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1283
Local subnet only: False
[396] 11:08:17: Denying dynamic port
Process ID: 756
RPC port: False
Application name:
Process image filename: C:\WINDOWS\system32\lsass.
IP Version: IPv4
IP Protocol: UDP
Port number: 1284
Local subnet only: False
[396] 11:08:17: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.
[396] 11:08:17: FwNotifyOnDeny: Wildcarded UDP port.
ASKER
dexIT:
No, I looked in the security logs and the others but didn't see anything
No, I looked in the security logs and the others but didn't see anything
Looks like lsass.exe is not able to obtain a proper handshake with the server.
That file has been known to be a attacked by viruses so I'd scan her system to make sure it is virus free. See: http://www.softwarepatch.com/tips/isass.html
Microsoft's Malicious Software Removal Tool can also be installed to remove it: http://support.microsoft.com/kb/890830/
Wes
That file has been known to be a attacked by viruses so I'd scan her system to make sure it is virus free. See: http://www.softwarepatch.com/tips/isass.html
Microsoft's Malicious Software Removal Tool can also be installed to remove it: http://support.microsoft.com/kb/890830/
Wes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
netsh ras set tracing * enabled
Let her system be until the lock out again occurs then when it does look at the tracing logs found in c:\windows\tracing to see what netwrok activity was occuring during that time when the lock out occurred to find the cuase.
To stop the tracing, from command type: netsh ras set tracing * disabled
wes