Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Server 2008 accounts keep getting locked out.

Posted on 2011-02-28
4
Medium Priority
?
1,077 Views
Last Modified: 2012-05-11
I am having continual and repettative account lockouts on 2 different locations on 2 different domain controllers (without a domain trust in place) .

I need to know if there is a way to determine the source of the problem. i.e what machine is attempting logon with the wrong password etc.

i am finding that even the master domain account is being locked as well.

As a matter of fact one time it was EVERY account on one of the DC's except my own personal account.
0
Comment
Question by:cc-admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 9

Expert Comment

by:Timothy McCartney
ID: 35001665
Have you checked the security section of the event log?
0
 

Author Comment

by:cc-admin
ID: 35001896
yes. i dont see anything obvious. it only showed one machine fail and it was using the old server address and not the new one. But that does not explain the other accounts being locked out as well.

It appears to only be Domain Admin accounts being locked out.

Any other ideas?
0
 
LVL 10

Expert Comment

by:abbright
ID: 35004402
In the security log you should be able to find information about unsuccessful logins. In some of these log-entries you can find the source address of the request.
0
 
LVL 10

Accepted Solution

by:
pand0ra_usa earned 2000 total points
ID: 35010035
The last part sounds like someone is trying to brute-force your accounts and that is why your accounts are being locked out.

Type in rsop at the command line. Go to Computer Configuration, Windows Settings, Local Policies, Audit Policy. We need to make sure auditing is still enabled.

Check the Audit account on logon events and Audit logon events is set to Success, Failure. You may also want to check Audit account management for the same setting as that might also provide insight.

If these are already set to those settings I would search/filter for Event ID 4625 (or other logon failure codes).

Status and Sub Status Codes       Description (not checked against "Failure Reason:")
0xC0000064       user name does not exist
0xC000006A       user name is correct but the password is wrong
0xC0000234       user is currently locked out
0xC0000072       account is currently disabled
0xC000006F       user tried to logon outside his day of week or time of day restrictions
0xC0000070       workstation restriction
0xC0000193       account expiration
0xC0000071       expired password
0xC0000133       clocks between DC and other computer too far out of sync
0xC0000224       user is required to change password at next logon
0xC0000225       evidently a bug in Windows and not a risk
0xc000015b       The user has not been granted the requested logon type (aka logon right) at this machine
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A look at what happened in the Verizon cloud breach.
Check out what's been happening in the Experts Exchange community.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question