I have an issue I’ve been dealing with for about 6 or 7 months. I have 13-15 accounts in AD that get locked out at random at all hours of the day and night. Originally it started with the office manager and one of the company owners, but it has expanded to other users over time. The office manager’s account is by leaps and bounds the most prevalent, it has locked out 101 times since I installed Netwrix account lockout examiner in February. The next closest is the owner at 42 lockouts. The next most frequent is 25. Using Netwrix Account Lockout Manager I have traced the culprit machine to my Exchange 2003 server, but I can’t tell if it is something with the AD connector back to my DC, or something else that is actually on my Exchange server, I’m just not really sure where to go from here.
Initially I thought it was the users byod mobile devices or outlook web access, but I have tested this by disabling both services for the main problem user, and I was still getting lockouts. And, this issue has happened with users that don't have mobile access. I’m absolutely certain the problem isn’t incorrect passwords, as their mobile devices work correctly with the stored passwords after their accounts have been unlocked.
In my research I found information about the Conficker virus, and the symptoms sounded like they were exactly what I’ve been experiencing. I’ve used nmap and McAfee’s conficker scanning utility to search my network immediately after an account lockout occurred, but the results have come up negative.
One of the latest symptoms, my account and the user that is my backup when I’m absent were locked out simultaneously today. This also happened about a week and a half ago, both at exactly the same time. Another weird symptom, one of the accounts that was locked out recently was a terminated employee who has been gone for almost a year. His account is disabled and he doesn’t belong to any distribution or security groups. His email address is hidden from the public address book. Any mail to him is forwarded to his replacement.
The Exchange server is Exchange 2003 on a Windows Server 2003 R2 SP2 OS, the DC is Windows Server 2008 R2. The domain functional level is Windows Server 2008 R2, and has been for over 2 years without any prior issue. In short, nothing in the AD infrastructure has changed in the last 2 years, and I’m the only one with access to do so.
My last reboot of the DC’s was this morning. My last reboot of the Exchange server was 2 weeks ago. The lockout of my account and the other user today was after the server reboot.
I’m using a mix of Trend Micro Office Scan and Microsoft Security Essentials, but I’m in the process of negotiating a price for Kaspersky Select so I can have a better centrally managed system.