• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1109
  • Last Modified:

Server 2008 accounts keep getting locked out.

I am having continual and repettative account lockouts on 2 different locations on 2 different domain controllers (without a domain trust in place) .

I need to know if there is a way to determine the source of the problem. i.e what machine is attempting logon with the wrong password etc.

i am finding that even the master domain account is being locked as well.

As a matter of fact one time it was EVERY account on one of the DC's except my own personal account.
0
cc-admin
Asked:
cc-admin
1 Solution
 
Timothy McCartneySYS ADMINISTR I INFRASCommented:
Have you checked the security section of the event log?
0
 
cc-adminAuthor Commented:
yes. i dont see anything obvious. it only showed one machine fail and it was using the old server address and not the new one. But that does not explain the other accounts being locked out as well.

It appears to only be Domain Admin accounts being locked out.

Any other ideas?
0
 
abbrightCommented:
In the security log you should be able to find information about unsuccessful logins. In some of these log-entries you can find the source address of the request.
0
 
pand0ra_usaCommented:
The last part sounds like someone is trying to brute-force your accounts and that is why your accounts are being locked out.

Type in rsop at the command line. Go to Computer Configuration, Windows Settings, Local Policies, Audit Policy. We need to make sure auditing is still enabled.

Check the Audit account on logon events and Audit logon events is set to Success, Failure. You may also want to check Audit account management for the same setting as that might also provide insight.

If these are already set to those settings I would search/filter for Event ID 4625 (or other logon failure codes).

Status and Sub Status Codes       Description (not checked against "Failure Reason:")
0xC0000064       user name does not exist
0xC000006A       user name is correct but the password is wrong
0xC0000234       user is currently locked out
0xC0000072       account is currently disabled
0xC000006F       user tried to logon outside his day of week or time of day restrictions
0xC0000070       workstation restriction
0xC0000193       account expiration
0xC0000071       expired password
0xC0000133       clocks between DC and other computer too far out of sync
0xC0000224       user is required to change password at next logon
0xC0000225       evidently a bug in Windows and not a risk
0xc000015b       The user has not been granted the requested logon type (aka logon right) at this machine
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now