Solved

Server 2008 accounts keep getting locked out.

Posted on 2011-02-28
4
1,069 Views
Last Modified: 2012-05-11
I am having continual and repettative account lockouts on 2 different locations on 2 different domain controllers (without a domain trust in place) .

I need to know if there is a way to determine the source of the problem. i.e what machine is attempting logon with the wrong password etc.

i am finding that even the master domain account is being locked as well.

As a matter of fact one time it was EVERY account on one of the DC's except my own personal account.
0
Comment
Question by:cc-admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 9

Expert Comment

by:Timothy McCartney
ID: 35001665
Have you checked the security section of the event log?
0
 

Author Comment

by:cc-admin
ID: 35001896
yes. i dont see anything obvious. it only showed one machine fail and it was using the old server address and not the new one. But that does not explain the other accounts being locked out as well.

It appears to only be Domain Admin accounts being locked out.

Any other ideas?
0
 
LVL 10

Expert Comment

by:abbright
ID: 35004402
In the security log you should be able to find information about unsuccessful logins. In some of these log-entries you can find the source address of the request.
0
 
LVL 10

Accepted Solution

by:
pand0ra_usa earned 500 total points
ID: 35010035
The last part sounds like someone is trying to brute-force your accounts and that is why your accounts are being locked out.

Type in rsop at the command line. Go to Computer Configuration, Windows Settings, Local Policies, Audit Policy. We need to make sure auditing is still enabled.

Check the Audit account on logon events and Audit logon events is set to Success, Failure. You may also want to check Audit account management for the same setting as that might also provide insight.

If these are already set to those settings I would search/filter for Event ID 4625 (or other logon failure codes).

Status and Sub Status Codes       Description (not checked against "Failure Reason:")
0xC0000064       user name does not exist
0xC000006A       user name is correct but the password is wrong
0xC0000234       user is currently locked out
0xC0000072       account is currently disabled
0xC000006F       user tried to logon outside his day of week or time of day restrictions
0xC0000070       workstation restriction
0xC0000193       account expiration
0xC0000071       expired password
0xC0000133       clocks between DC and other computer too far out of sync
0xC0000224       user is required to change password at next logon
0xC0000225       evidently a bug in Windows and not a risk
0xc000015b       The user has not been granted the requested logon type (aka logon right) at this machine
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Part One of the two-part Q&A series with MalwareTech.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question