Tracking Down Source of Account Lock out

I have a windows 2008 domain with 150+ users running XP and WIndows 7. One of my users account keeps getting locked out. In the server I can see an 4740 event log that shows the account being locked but is shows the source as the domain controller. THe user is out of the offce today so I unlocked there accoint as started network monitor on the domain controller and in 30 minutes the account was locked again. How can I search network monitor for the users account
LVL 20
compdigit44Asked:
Who is Participating?
 
Svet PaperovIT ManagerCommented:
That’s way the sophisticated Intrusion Detection Systems are so expensive…  A host-based IDS should be able to isolate the source easily.

Since it is more likely that the source is some kind of malware than a real human, you could take a different approach in your efforts to isolate it. For example:
Mirror the switch port where the DC is connected and install a packet capture software – may be you will see some unexpected activity even if the authentication requests are encrypted
Wait until the end of the day when most of the user stations are off, at some point the attack should stop – in that way you could narrow your suspected computers
By the way, do you have a VPN or WPA-Enterprise based WiFi that use NPS on the domain controller as RADIUS server? In that case the authentication will happen on the DC.
0
 
Svet PaperovIT ManagerCommented:
Do you have Audit Failure events ID 4771 on your DC, as well? There, you could see the IP address of the client where the authentication has failed.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
compdigit44Author Commented:
no just 4740
0
 
Svet PaperovIT ManagerCommented:
In Additional Information section of event ID 4740 there is line with Caller Computer Name. That’s the NetBIOS name of the computer where the account has been locked out.

Event ID 4771 are available in Windows Log / Security section of Event Viewer on a domain controller.
0
 
compdigit44Author Commented:
The caller is listed as the DC though..
0
 
Svet PaperovIT ManagerCommented:
That means somebody or something (a virus) is trying to login to your domain controller.

This is not an easy task without IPS.

You cannot search a network monitor for user account in clear text because this information is encrypted before the packet hits the DC. You could, however, use it to narrow out the IP addresses of the stations that are connecting around the lockout event. But, there will be a lot of data to go through.

Another way to explore will be to enable auditing on more objects on your domain controller and to look for Audit Failure events. This might help: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26234338.html
0
 
compdigit44Author Commented:
it's strainge becuase I do have auditing set pretty high in my enviroment. I do see some login attempts that do list the source ip or workstation name the user is logging in from but so some reason this one isn't...
0
 
compdigit44Author Commented:
I don't believe this is mailware. The account users account that keeps getting locked out is not their primary account but a service account to logon onto specific servers. I have already asked the user to check to see if any services are running under there account and they said they did not. I may just end up deleting there account and recreate it.
0
 
Svet PaperovIT ManagerCommented:
Do not delete the account if is used as service account. If you recreate it with the same name it won't be the same account.

This could exlain the odd behavior with the events.

You could reset its password to an older one, may be the account is used somewhere as service, for example Windows 7 backup requires a fixed domain account if you do backup on net.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.