Solved

Audit Failure and Account Lockouts - Active Directory

Posted on 2014-10-03
2
474 Views
Last Modified: 2014-10-04
I have a SBS 2011 Server and currently issues with account lockouts and Audit failures. All users use Exchange Active Synch, RWW and OWA. The login attempt originating externally and I have trouble resolving the issue. I have attempted to block the external IP address in the firewall but does not seem to make a difference. Any help is very much appreciated. Below the audit failure details.
Security ID:            SYSTEM
      Account Name:            TLWSVR$
      Account Domain:            TLW
      Logon ID:            0x3e7

Logon Type:                  8

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            sue
      Account Domain:            tlw

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x23c8
      Caller Process Name:      C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
      Workstation Name:      TLWSVR
      Source Network Address:      101.168.213.75
      Source Port:            15060

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
0
Comment
Question by:co_ol
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40361147
My instinct would be that the user has entered their password somewhere - mobile device most likely. The password has then been changed on the account but the device hasn't been updated.

If it happening to multiple users, then someone is doing an authentication attack. The address belongs to the Australian ISP Telstra. I presume it isn't your address?

You could use IP address restrictions on IIS to block that address if it is constantly the same address.

Simon.
0
 

Author Comment

by:co_ol
ID: 40361808
I was unable to determine who that ip address belongs to but was able to block that ip address. Unless someone complains about unable to access the server i assume it is an unauthorized access. Thanks
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question