Domain accounts getting locked out

All of our domain accounts keep getting locked out numerous times during the day for the past couple of days.  In the event log on a DC, there are constant audit failures, event ID 4662:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/23/2011 10:10:14 AM
Event ID:      4662
Task Category: Directory Service Access
Level:         Information
Keywords:      Audit Failure
User:          N/A
An operation was performed on an object.

Subject :
      Security ID:            domain\user[
      Account Name:            username
      Account Domain:            ourdomain
      Logon ID:            0xb4d9d80

      Object Server:            DS
      Object Type:            user
      Object Name:            CN=useraccount\OU=Client Services,OU= Departments,DC=ourdomain,DC=com
      Handle ID:            0x0

      Operation Type:            Object Access
      Accesses:            Control Access
      Access Mask:            0x100
      Properties:            ---

Additional Information:
      Parameter 1:            -
      Parameter 2:            
Event Xml:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <TimeCreated SystemTime="2011-09-23T14:10:14.200Z" />
    <Correlation />
    <Execution ProcessID="820" ThreadID="924" />
    <Security />
    <Data Name="SubjectUserSid">S-1-5-21-796845957-1715567821-682003330-1698</Data>
    <Data Name="SubjectUserName">Username</Data>
    <Data Name="SubjectDomainName">ourdomain</Data>
    <Data Name="SubjectLogonId">0xb4d9d80</Data>
    <Data Name="ObjectServer">DS</Data>
    <Data Name="ObjectType">%{bf967aba-0de6-11d0-a285-00aa003049e2}</Data>
    <Data Name="ObjectName">%{474f39a0-a6c3-40f0-a1dd-24604b29e15e}</Data>
    <Data Name="OperationType">Object Access</Data>
    <Data Name="HandleId">0x0</Data>
    <Data Name="AccessList">%%7688
    <Data Name="AccessMask">0x100</Data>
    <Data Name="Properties">---
    <Data Name="AdditionalInfo">-</Data>
    <Data Name="AdditionalInfo2">

Doesn't really show where it's coming from.  Seems like probably a brute force attack.  Any ideas on how to nail this down?  Thanks.
Who is Participating?
haxxyConnect With a Mentor Commented:
You probably have Downadup.B worm.

Read this document from symantec on how to remove it.
Mike KlineConnect With a Mentor Commented:
This sounds like malware  last year there was a lot of these and it was conficker

Not saying you have it but start scanning the network.  If it was one or two accounts there are other troubleshooting methods but almost every account being randomly locked out is a different thing.


I do see the same event in our environment ,did anyone got a solution this event id flooding in Domain Controllers
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.