compdigit44
asked on
Tracking Down Source of Account Lock out
I have a windows 2008 domain with 150+ users running XP and WIndows 7. One of my users account keeps getting locked out. In the server I can see an 4740 event log that shows the account being locked but is shows the source as the domain controller. THe user is out of the offce today so I unlocked there accoint as started network monitor on the domain controller and in 30 minutes the account was locked again. How can I search network monitor for the users account
Do you have Audit Failure events ID 4771 on your DC, as well? There, you could see the IP address of the client where the authentication has failed.
ASKER
no just 4740
In Additional Information section of event ID 4740 there is line with Caller Computer Name. That’s the NetBIOS name of the computer where the account has been locked out.
Event ID 4771 are available in Windows Log / Security section of Event Viewer on a domain controller.
Event ID 4771 are available in Windows Log / Security section of Event Viewer on a domain controller.
ASKER
The caller is listed as the DC though..
That means somebody or something (a virus) is trying to login to your domain controller.
This is not an easy task without IPS.
You cannot search a network monitor for user account in clear text because this information is encrypted before the packet hits the DC. You could, however, use it to narrow out the IP addresses of the stations that are connecting around the lockout event. But, there will be a lot of data to go through.
Another way to explore will be to enable auditing on more objects on your domain controller and to look for Audit Failure events. This might help: http://www.experts-exchang
This is not an easy task without IPS.
You cannot search a network monitor for user account in clear text because this information is encrypted before the packet hits the DC. You could, however, use it to narrow out the IP addresses of the stations that are connecting around the lockout event. But, there will be a lot of data to go through.
Another way to explore will be to enable auditing on more objects on your domain controller and to look for Audit Failure events. This might help: http://www.experts-exchang
ASKER
it's strainge becuase I do have auditing set pretty high in my enviroment. I do see some login attempts that do list the source ip or workstation name the user is logging in from but so some reason this one isn't...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I don't believe this is mailware. The account users account that keeps getting locked out is not their primary account but a service account to logon onto specific servers. I have already asked the user to check to see if any services are running under there account and they said they did not. I may just end up deleting there account and recreate it.
Do not delete the account if is used as service account. If you recreate it with the same name it won't be the same account.
This could exlain the odd behavior with the events.
You could reset its password to an older one, may be the account is used somewhere as service, for example Windows 7 backup requires a fixed domain account if you do backup on net.
This could exlain the odd behavior with the events.
You could reset its password to an older one, may be the account is used somewhere as service, for example Windows 7 backup requires a fixed domain account if you do backup on net.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/81cb2e53-29c5-43dd-9039-b1ffa0296354/