Solved

Domain accounts getting locked out

Posted on 2011-09-23
3
3,148 Views
Last Modified: 2016-06-05
All of our domain accounts keep getting locked out numerous times during the day for the past couple of days.  In the event log on a DC, there are constant audit failures, event ID 4662:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/23/2011 10:10:14 AM
Event ID:      4662
Task Category: Directory Service Access
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      servername.ourdomain.com
Description:
An operation was performed on an object.

Subject :
      Security ID:            domain\user[
      Account Name:            username
      Account Domain:            ourdomain
      Logon ID:            0xb4d9d80

Object:
      Object Server:            DS
      Object Type:            user
      Object Name:            CN=useraccount\OU=Client Services,OU= Departments,DC=ourdomain,DC=com
      Handle ID:            0x0

Operation:
      Operation Type:            Object Access
      Accesses:            Control Access
                  
      Access Mask:            0x100
      Properties:            ---
            {91e647de-d96f-4b70-9557-d63ff4f3ccd8}
                  {6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
                  {b3f93023-9239-4f7c-b99c-6745d87adbc2}
                  {b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7}
            {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
                  {612cb747-c0e8-4f92-9221-fdd5f15b550d}
      {bf967aba-0de6-11d0-a285-00aa003049e2}


Additional Information:
      Parameter 1:            -
      Parameter 2:            
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4662</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14080</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2011-09-23T14:10:14.200Z" />
    <EventRecordID>128232590</EventRecordID>
    <Correlation />
    <Execution ProcessID="820" ThreadID="924" />
    <Channel>Security</Channel>
    <Computer>servername.ourdomain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-796845957-1715567821-682003330-1698</Data>
    <Data Name="SubjectUserName">Username</Data>
    <Data Name="SubjectDomainName">ourdomain</Data>
    <Data Name="SubjectLogonId">0xb4d9d80</Data>
    <Data Name="ObjectServer">DS</Data>
    <Data Name="ObjectType">%{bf967aba-0de6-11d0-a285-00aa003049e2}</Data>
    <Data Name="ObjectName">%{474f39a0-a6c3-40f0-a1dd-24604b29e15e}</Data>
    <Data Name="OperationType">Object Access</Data>
    <Data Name="HandleId">0x0</Data>
    <Data Name="AccessList">%%7688
                  </Data>
    <Data Name="AccessMask">0x100</Data>
    <Data Name="Properties">---
            {91e647de-d96f-4b70-9557-d63ff4f3ccd8}
                  {6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
                  {b3f93023-9239-4f7c-b99c-6745d87adbc2}
                  {b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7}
            {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
                  {612cb747-c0e8-4f92-9221-fdd5f15b550d}
      {bf967aba-0de6-11d0-a285-00aa003049e2}
</Data>
    <Data Name="AdditionalInfo">-</Data>
    <Data Name="AdditionalInfo2">
    </Data>
  </EventData>
</Event>

Doesn't really show where it's coming from.  Seems like probably a brute force attack.  Any ideas on how to nail this down?  Thanks.
0
Comment
Question by:SSEHelpDesk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Accepted Solution

by:
haxxy earned 250 total points
ID: 36587446
You probably have Downadup.B worm.

Read this document from symantec on how to remove it. http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 36587456
This sounds like malware  last year there was a lot of these and it was conficker  http://blogs.technet.com/b/rhalbheer/archive/2009/01/13/additional-information-on-conficker-msrt-removing-conficker.aspx

Not saying you have it but start scanning the network.  If it was one or two accounts there are other troubleshooting methods but almost every account being randomly locked out is a different thing.

Thanks

Mike
0
 

Expert Comment

by:qgmaster
ID: 41637998
I do see the same event in our environment ,did anyone got a solution this event id flooding in Domain Controllers
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Static IP Address Assignment 10 83
Developing a front end to SPLUNK 1 66
Introduce 2012r2 or 2016 Dc to a 2008r2 domain? 3 78
Windows Modify Permissions 19 66
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question