Solved

Domain accounts getting locked out

Posted on 2011-09-23
3
3,055 Views
Last Modified: 2016-06-05
All of our domain accounts keep getting locked out numerous times during the day for the past couple of days.  In the event log on a DC, there are constant audit failures, event ID 4662:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/23/2011 10:10:14 AM
Event ID:      4662
Task Category: Directory Service Access
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      servername.ourdomain.com
Description:
An operation was performed on an object.

Subject :
      Security ID:            domain\user[
      Account Name:            username
      Account Domain:            ourdomain
      Logon ID:            0xb4d9d80

Object:
      Object Server:            DS
      Object Type:            user
      Object Name:            CN=useraccount\OU=Client Services,OU= Departments,DC=ourdomain,DC=com
      Handle ID:            0x0

Operation:
      Operation Type:            Object Access
      Accesses:            Control Access
                  
      Access Mask:            0x100
      Properties:            ---
            {91e647de-d96f-4b70-9557-d63ff4f3ccd8}
                  {6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
                  {b3f93023-9239-4f7c-b99c-6745d87adbc2}
                  {b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7}
            {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
                  {612cb747-c0e8-4f92-9221-fdd5f15b550d}
      {bf967aba-0de6-11d0-a285-00aa003049e2}


Additional Information:
      Parameter 1:            -
      Parameter 2:            
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4662</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14080</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2011-09-23T14:10:14.200Z" />
    <EventRecordID>128232590</EventRecordID>
    <Correlation />
    <Execution ProcessID="820" ThreadID="924" />
    <Channel>Security</Channel>
    <Computer>servername.ourdomain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-796845957-1715567821-682003330-1698</Data>
    <Data Name="SubjectUserName">Username</Data>
    <Data Name="SubjectDomainName">ourdomain</Data>
    <Data Name="SubjectLogonId">0xb4d9d80</Data>
    <Data Name="ObjectServer">DS</Data>
    <Data Name="ObjectType">%{bf967aba-0de6-11d0-a285-00aa003049e2}</Data>
    <Data Name="ObjectName">%{474f39a0-a6c3-40f0-a1dd-24604b29e15e}</Data>
    <Data Name="OperationType">Object Access</Data>
    <Data Name="HandleId">0x0</Data>
    <Data Name="AccessList">%%7688
                  </Data>
    <Data Name="AccessMask">0x100</Data>
    <Data Name="Properties">---
            {91e647de-d96f-4b70-9557-d63ff4f3ccd8}
                  {6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
                  {b3f93023-9239-4f7c-b99c-6745d87adbc2}
                  {b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7}
            {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
                  {612cb747-c0e8-4f92-9221-fdd5f15b550d}
      {bf967aba-0de6-11d0-a285-00aa003049e2}
</Data>
    <Data Name="AdditionalInfo">-</Data>
    <Data Name="AdditionalInfo2">
    </Data>
  </EventData>
</Event>

Doesn't really show where it's coming from.  Seems like probably a brute force attack.  Any ideas on how to nail this down?  Thanks.
0
Comment
Question by:SSEHelpDesk
3 Comments
 

Accepted Solution

by:
haxxy earned 250 total points
ID: 36587446
You probably have Downadup.B worm.

Read this document from symantec on how to remove it. http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 36587456
This sounds like malware  last year there was a lot of these and it was conficker  http://blogs.technet.com/b/rhalbheer/archive/2009/01/13/additional-information-on-conficker-msrt-removing-conficker.aspx

Not saying you have it but start scanning the network.  If it was one or two accounts there are other troubleshooting methods but almost every account being randomly locked out is a different thing.

Thanks

Mike
0
 

Expert Comment

by:qgmaster
ID: 41637998
I do see the same event in our environment ,did anyone got a solution this event id flooding in Domain Controllers
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question