Account locking out

G

Guest

I'm on a Windows 2000 domain. We're on a single site with 3 DCs, all
configured as GCs. There are approximately 350 users.

We have a service account that's suddenly continually locking itself out. I
understand that someone somewhere has probably configured something to start
using the credentials of this account and probably fat-fingered the password,
but I need to determine this down to a machine if possible. We have about 35
servers and it will be a huge headache to scour every single machine.

The security event log doesn't seem to show me the machine that the lockout
is occurring on. The log is set to have a max size of 100 MB and overwrite
events as needed; I've exported it to prevent anything relevant from being
overwritten. The domain auditing policy is as follows:

Account Logon Events S, F
Account Management S ,F
Directory Service Access S, F
Logon Events S, F
Object Access S, F
Policy Change S, F
System Events F

Any help would be appreciated.
 
S

Steven L Umbach

I believe if you search the security logs of all the domain controllers for
lockout events ID's that it may show the user account name and computer
name - but not 100 percent sure. Just make sure that you have auditing of
account management enabled in Domain Controller Security Policy also. Event
Comb will be very useful for you in searching the domain controller security
logs for specific event ID's. The other thing you could try is to netlogon
logging on your domain controllers starting with the pdc fsmo. There is a
free tool to parse the netlogon log looking for logon failures. The link
below may help which includes tools to use and a link to a white paper on
account lockouts that also explains netlogon logging. --- Steve

http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
 
G

Guest

Steven L Umbach said:
I believe if you search the security logs of all the domain controllers for
lockout events ID's that it may show the user account name and computer
name - but not 100 percent sure. Just make sure that you have auditing of
account management enabled in Domain Controller Security Policy also. Event
Comb will be very useful for you in searching the domain controller security
logs for specific event ID's. The other thing you could try is to netlogon
logging on your domain controllers starting with the pdc fsmo. There is a
free tool to parse the netlogon log looking for logon failures. The link
below may help which includes tools to use and a link to a white paper on
account lockouts that also explains netlogon logging. --- Steve

http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
Click to expand...


Thanks!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Account Lockout policy problem 1
Authentication Auditing 5
Bad PAssword Attempts not logged 1
Audit Account Logon Events 3
Domain Controller Security Policy vs. Domain Security Policy? 1
Security Log 1
Failure audits not being logged 1
Audit Logon (success an failure) 1

Top