Solved

Server 2008 accounts keep getting locked out.

Posted on 2011-02-28
4
1,053 Views
Last Modified: 2012-05-11
I am having continual and repettative account lockouts on 2 different locations on 2 different domain controllers (without a domain trust in place) .

I need to know if there is a way to determine the source of the problem. i.e what machine is attempting logon with the wrong password etc.

i am finding that even the master domain account is being locked as well.

As a matter of fact one time it was EVERY account on one of the DC's except my own personal account.
0
Comment
Question by:cc-admin
4 Comments
 
LVL 9

Expert Comment

by:Timothy McCartney
Comment Utility
Have you checked the security section of the event log?
0
 

Author Comment

by:cc-admin
Comment Utility
yes. i dont see anything obvious. it only showed one machine fail and it was using the old server address and not the new one. But that does not explain the other accounts being locked out as well.

It appears to only be Domain Admin accounts being locked out.

Any other ideas?
0
 
LVL 10

Expert Comment

by:abbright
Comment Utility
In the security log you should be able to find information about unsuccessful logins. In some of these log-entries you can find the source address of the request.
0
 
LVL 10

Accepted Solution

by:
pand0ra_usa earned 500 total points
Comment Utility
The last part sounds like someone is trying to brute-force your accounts and that is why your accounts are being locked out.

Type in rsop at the command line. Go to Computer Configuration, Windows Settings, Local Policies, Audit Policy. We need to make sure auditing is still enabled.

Check the Audit account on logon events and Audit logon events is set to Success, Failure. You may also want to check Audit account management for the same setting as that might also provide insight.

If these are already set to those settings I would search/filter for Event ID 4625 (or other logon failure codes).

Status and Sub Status Codes       Description (not checked against "Failure Reason:")
0xC0000064       user name does not exist
0xC000006A       user name is correct but the password is wrong
0xC0000234       user is currently locked out
0xC0000072       account is currently disabled
0xC000006F       user tried to logon outside his day of week or time of day restrictions
0xC0000070       workstation restriction
0xC0000193       account expiration
0xC0000071       expired password
0xC0000133       clocks between DC and other computer too far out of sync
0xC0000224       user is required to change password at next logon
0xC0000225       evidently a bug in Windows and not a risk
0xc000015b       The user has not been granted the requested logon type (aka logon right) at this machine
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now