SSEHelpDesk
asked on
Domain accounts getting locked out
All of our domain accounts keep getting locked out numerous times during the day for the past couple of days. In the event log on a DC, there are constant audit failures, event ID 4662:
Log Name: Security
Source: Microsoft-Windows-Security -Auditing
Date: 9/23/2011 10:10:14 AM
Event ID: 4662
Task Category: Directory Service Access
Level: Information
Keywords: Audit Failure
User: N/A
Computer: servername.ourdomain.com
Description:
An operation was performed on an object.
Subject :
Security ID: domain\user[
Account Name: username
Account Domain: ourdomain
Logon ID: 0xb4d9d80
Object:
Object Server: DS
Object Type: user
Object Name: CN=useraccount\OU=Client Services,OU= Departments,DC=ourdomain,DC=com
Handle ID: 0x0
Operation:
Operation Type: Object Access
Accesses: Control Access
Access Mask: 0x100
Properties: ---
{91e647de-d96f-4b70-9557-d 63ff4f3ccd 8}
{6617e4ac-a2f1-43ab-b60c-1 1fbd1facf0 5}
{b3f93023-9239-4f7c-b99c-6 745d87adbc 2}
{b8dfa744-31dc-4ef1-ac7c-8 4baf7ef9da 7}
{771727b1-31b8-4cdf-ae62-4 fe39fadf89 e}
{612cb747-c0e8-4f92-9221-f dd5f15b550 d}
{bf967aba-0de6-11d0-a285-0 0aa003049e 2}
Additional Information:
Parameter 1: -
Parameter 2:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se curity-Aud iting" Guid="{54849625-5478-4994- a5ba-3e3b0 328c30d}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000 00</Keywor ds>
<TimeCreated SystemTime="2011-09-23T14: 10:14.200Z " />
<EventRecordID>128232590</ EventRecor dID>
<Correlation />
<Execution ProcessID="820" ThreadID="924" />
<Channel>Security</Channel >
<Computer>servername.ourdomain.com</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1- 5-21-79684 5957-17155 67821-6820 03330-1698 </Data>
<Data Name="SubjectUserName">Username</Data>
<Data Name="SubjectDomainName">ourdomain</Data>
<Data Name="SubjectLogonId">0xb4 d9d80</Dat a>
<Data Name="ObjectServer">DS</Da ta>
<Data Name="ObjectType">%{bf967a ba-0de6-11 d0-a285-00 aa003049e2 }</Data>
<Data Name="ObjectName">%{474f39 a0-a6c3-40 f0-a1dd-24 604b29e15e }</Data>
<Data Name="OperationType">Objec t Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%7688
</Data>
<Data Name="AccessMask">0x100</D ata>
<Data Name="Properties">---
{91e647de-d96f-4b70-9557-d 63ff4f3ccd 8}
{6617e4ac-a2f1-43ab-b60c-1 1fbd1facf0 5}
{b3f93023-9239-4f7c-b99c-6 745d87adbc 2}
{b8dfa744-31dc-4ef1-ac7c-8 4baf7ef9da 7}
{771727b1-31b8-4cdf-ae62-4 fe39fadf89 e}
{612cb747-c0e8-4f92-9221-f dd5f15b550 d}
{bf967aba-0de6-11d0-a285-0 0aa003049e 2}
</Data>
<Data Name="AdditionalInfo">-</D ata>
<Data Name="AdditionalInfo2">
</Data>
</EventData>
</Event>
Doesn't really show where it's coming from. Seems like probably a brute force attack. Any ideas on how to nail this down? Thanks.
Log Name: Security
Source: Microsoft-Windows-Security
Date: 9/23/2011 10:10:14 AM
Event ID: 4662
Task Category: Directory Service Access
Level: Information
Keywords: Audit Failure
User: N/A
Computer: servername.ourdomain.com
Description:
An operation was performed on an object.
Subject :
Security ID: domain\user[
Account Name: username
Account Domain: ourdomain
Logon ID: 0xb4d9d80
Object:
Object Server: DS
Object Type: user
Object Name: CN=useraccount\OU=Client Services,OU= Departments,DC=ourdomain,DC=com
Handle ID: 0x0
Operation:
Operation Type: Object Access
Accesses: Control Access
Access Mask: 0x100
Properties: ---
{91e647de-d96f-4b70-9557-d
{6617e4ac-a2f1-43ab-b60c-1
{b3f93023-9239-4f7c-b99c-6
{b8dfa744-31dc-4ef1-ac7c-8
{771727b1-31b8-4cdf-ae62-4
{612cb747-c0e8-4f92-9221-f
{bf967aba-0de6-11d0-a285-0
Additional Information:
Parameter 1: -
Parameter 2:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2011-09-23T14:
<EventRecordID>128232590</
<Correlation />
<Execution ProcessID="820" ThreadID="924" />
<Channel>Security</Channel
<Computer>servername.ourdomain.com</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-
<Data Name="SubjectUserName">Username</Data>
<Data Name="SubjectDomainName">ourdomain</Data>
<Data Name="SubjectLogonId">0xb4
<Data Name="ObjectServer">DS</Da
<Data Name="ObjectType">%{bf967a
<Data Name="ObjectName">%{474f39
<Data Name="OperationType">Objec
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%7688
</Data>
<Data Name="AccessMask">0x100</D
<Data Name="Properties">---
{91e647de-d96f-4b70-9557-d
{6617e4ac-a2f1-43ab-b60c-1
{b3f93023-9239-4f7c-b99c-6
{b8dfa744-31dc-4ef1-ac7c-8
{771727b1-31b8-4cdf-ae62-4
{612cb747-c0e8-4f92-9221-f
{bf967aba-0de6-11d0-a285-0
</Data>
<Data Name="AdditionalInfo">-</D
<Data Name="AdditionalInfo2">
</Data>
</EventData>
</Event>
Doesn't really show where it's coming from. Seems like probably a brute force attack. Any ideas on how to nail this down? Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I do see the same event in our environment ,did anyone got a solution this event id flooding in Domain Controllers