Solved

Domain accounts getting locked out

Posted on 2011-09-23
3
3,246 Views
Last Modified: 2016-06-05
All of our domain accounts keep getting locked out numerous times during the day for the past couple of days.  In the event log on a DC, there are constant audit failures, event ID 4662:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/23/2011 10:10:14 AM
Event ID:      4662
Task Category: Directory Service Access
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      servername.ourdomain.com
Description:
An operation was performed on an object.

Subject :
      Security ID:            domain\user[
      Account Name:            username
      Account Domain:            ourdomain
      Logon ID:            0xb4d9d80

Object:
      Object Server:            DS
      Object Type:            user
      Object Name:            CN=useraccount\OU=Client Services,OU= Departments,DC=ourdomain,DC=com
      Handle ID:            0x0

Operation:
      Operation Type:            Object Access
      Accesses:            Control Access
                  
      Access Mask:            0x100
      Properties:            ---
            {91e647de-d96f-4b70-9557-d63ff4f3ccd8}
                  {6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
                  {b3f93023-9239-4f7c-b99c-6745d87adbc2}
                  {b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7}
            {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
                  {612cb747-c0e8-4f92-9221-fdd5f15b550d}
      {bf967aba-0de6-11d0-a285-00aa003049e2}


Additional Information:
      Parameter 1:            -
      Parameter 2:            
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4662</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14080</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2011-09-23T14:10:14.200Z" />
    <EventRecordID>128232590</EventRecordID>
    <Correlation />
    <Execution ProcessID="820" ThreadID="924" />
    <Channel>Security</Channel>
    <Computer>servername.ourdomain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-796845957-1715567821-682003330-1698</Data>
    <Data Name="SubjectUserName">Username</Data>
    <Data Name="SubjectDomainName">ourdomain</Data>
    <Data Name="SubjectLogonId">0xb4d9d80</Data>
    <Data Name="ObjectServer">DS</Data>
    <Data Name="ObjectType">%{bf967aba-0de6-11d0-a285-00aa003049e2}</Data>
    <Data Name="ObjectName">%{474f39a0-a6c3-40f0-a1dd-24604b29e15e}</Data>
    <Data Name="OperationType">Object Access</Data>
    <Data Name="HandleId">0x0</Data>
    <Data Name="AccessList">%%7688
                  </Data>
    <Data Name="AccessMask">0x100</Data>
    <Data Name="Properties">---
            {91e647de-d96f-4b70-9557-d63ff4f3ccd8}
                  {6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
                  {b3f93023-9239-4f7c-b99c-6745d87adbc2}
                  {b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7}
            {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
                  {612cb747-c0e8-4f92-9221-fdd5f15b550d}
      {bf967aba-0de6-11d0-a285-00aa003049e2}
</Data>
    <Data Name="AdditionalInfo">-</Data>
    <Data Name="AdditionalInfo2">
    </Data>
  </EventData>
</Event>

Doesn't really show where it's coming from.  Seems like probably a brute force attack.  Any ideas on how to nail this down?  Thanks.
0
Comment
Question by:SSEHelpDesk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Accepted Solution

by:
haxxy earned 250 total points
ID: 36587446
You probably have Downadup.B worm.

Read this document from symantec on how to remove it. http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 36587456
This sounds like malware  last year there was a lot of these and it was conficker  http://blogs.technet.com/b/rhalbheer/archive/2009/01/13/additional-information-on-conficker-msrt-removing-conficker.aspx

Not saying you have it but start scanning the network.  If it was one or two accounts there are other troubleshooting methods but almost every account being randomly locked out is a different thing.

Thanks

Mike
0
 

Expert Comment

by:qgmaster
ID: 41637998
I do see the same event in our environment ,did anyone got a solution this event id flooding in Domain Controllers
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question