Solved

Tracking Source of Account Lockout

Posted on 2011-03-21
7
742 Views
Last Modified: 2012-05-11
Hi folks!

Got about 120 Windows XP Professional SP3 workstations running in a Windows Server 2003 R2 x64-based Active Directory environment.

A few days ago, started having a particular user account -- an administrator account -- that is getting repeatedly locked out. Unlock it, wait a few minutes, locked out again.

My best guesses are that either someone is trying a brute force attack to compromise it (unlikely) or that there's a scheduled task laying around the network somewhere that's repeatedly trying to access it using an old password (likely).

Can someone suggest a way to track where the failed login attempts, and ultimately lockouts, are coming from?

Thanks,
Ithizar
0
Comment
Question by:Ithizar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
ID: 35184653
Check your Security Event Logs and filter by Failure Audit - that should show the invalid login attempts.

Look down those entries and look at the source IP and the Processor ID being used.  Then fire up Task Manager (CTRL + SHIFT + ESC) and on the Processes Tab, add the PID column and then look for the Process ID.

If it is System - do you have Exchange on your server?

Check your firewall - do you have RDP (TCP Port 3389) open and forwarded to the server from all Remote IP Addresses?
0
 
LVL 13

Assisted Solution

by:BCipollone
BCipollone earned 250 total points
ID: 35184686
Please read this to help solve your issue: http://technet.microsoft.com/en-us/library/cc776964(WS.10).aspx
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35184696
Take a look at this blog entry

http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

They have links to the account lockout and management tools.  The network traces can also be useful.  I'm with you it is most likely going to be a scheduled task or service that is using an old password.

Thanks

Mike
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Author Comment

by:Ithizar
ID: 35190833
Hmm.

I've checked the security logs on our domain controller, and what I'm seeing are dozens and dozens of entries for this user name where it says "pre-authentication failed" and it lists the IP address as the loopback address (127.0.0.1). Those are the only errors involving this user name that I can find. But there are tons of them, occurring every few seconds.

I'm posting the complete error details below.

Any thoughts?

Thanks,
Ithizar

Error Details:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            3/22/2011
Time:            11:03:57 AM
User:            NT AUTHORITY\SYSTEM
Computer:      CHTNSDC01
Description:
Pre-authentication failed:
       User Name:      tpinkerton
       User ID:            CHTN\tpinkerton
       Service Name:      krbtgt/CHTN
       Pre-Authentication Type:      0x2
       Failure Code:      0x12
       Client Address:      127.0.0.1
0
 

Accepted Solution

by:
Ithizar earned 0 total points
ID: 35224384
Found the answer! And, boy, was it obscure.

In the advanced DHCP properties of the server in question, it was set to authenticate using that user name. And apparently failing. I updated the credentials and the problem went away.

Now, why that had worked forever and then suddenly stopped working a few days before I posted my question, I have no idea. But there's the solution.

Thanks to everyone for your help!
0
 

Author Closing Comment

by:Ithizar
ID: 35275420
Accepting my own solution, but awarding points to those who helped point me toward the solution.
0
 
LVL 13

Expert Comment

by:BCipollone
ID: 35281682
Probably a password policy in place caused the problem. Do your passwords expire? - Anyway glad you found the problem.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question