Tracking Down Source of Account Lock out

I have a windows 2008 domain with 150+ users running XP and WIndows 7. One of my users account keeps getting locked out. In the server I can see an 4740 event log that shows the account being locked but is shows the source as the domain controller. THe user is out of the offce today so I unlocked there accoint as started network monitor on the domain controller and in 30 minutes the account was locked again. How can I search network monitor for the users account
LVL 21
compdigit44Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Svet PaperovIT ManagerCommented:
Do you have Audit Failure events ID 4771 on your DC, as well? There, you could see the IP address of the client where the authentication has failed.
0
compdigit44Author Commented:
no just 4740
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Svet PaperovIT ManagerCommented:
In Additional Information section of event ID 4740 there is line with Caller Computer Name. That’s the NetBIOS name of the computer where the account has been locked out.

Event ID 4771 are available in Windows Log / Security section of Event Viewer on a domain controller.
0
compdigit44Author Commented:
The caller is listed as the DC though..
0
Svet PaperovIT ManagerCommented:
That means somebody or something (a virus) is trying to login to your domain controller.

This is not an easy task without IPS.

You cannot search a network monitor for user account in clear text because this information is encrypted before the packet hits the DC. You could, however, use it to narrow out the IP addresses of the stations that are connecting around the lockout event. But, there will be a lot of data to go through.

Another way to explore will be to enable auditing on more objects on your domain controller and to look for Audit Failure events. This might help: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26234338.html
0
compdigit44Author Commented:
it's strainge becuase I do have auditing set pretty high in my enviroment. I do see some login attempts that do list the source ip or workstation name the user is logging in from but so some reason this one isn't...
0
Svet PaperovIT ManagerCommented:
That’s way the sophisticated Intrusion Detection Systems are so expensive…  A host-based IDS should be able to isolate the source easily.

Since it is more likely that the source is some kind of malware than a real human, you could take a different approach in your efforts to isolate it. For example:
Mirror the switch port where the DC is connected and install a packet capture software – may be you will see some unexpected activity even if the authentication requests are encrypted
Wait until the end of the day when most of the user stations are off, at some point the attack should stop – in that way you could narrow your suspected computers
By the way, do you have a VPN or WPA-Enterprise based WiFi that use NPS on the domain controller as RADIUS server? In that case the authentication will happen on the DC.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Author Commented:
I don't believe this is mailware. The account users account that keeps getting locked out is not their primary account but a service account to logon onto specific servers. I have already asked the user to check to see if any services are running under there account and they said they did not. I may just end up deleting there account and recreate it.
0
Svet PaperovIT ManagerCommented:
Do not delete the account if is used as service account. If you recreate it with the same name it won't be the same account.

This could exlain the odd behavior with the events.

You could reset its password to an older one, may be the account is used somewhere as service, for example Windows 7 backup requires a fixed domain account if you do backup on net.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.