Problem with Lockout Accounts

[Guest]

Problem with Lockout Accounts
I have a strange problem on my Win 2K Adv Server(SP4).
This is the domain controller of my Active Directory. I
noticed all my user accounts, including admin, are
getting locked out every so often. I checked my security
log and it has recorded multiple events of logon failures
from a workstation of my domain. The stranger is that 300
accounts were blocked at the same time, And nonencounter
any event that indicates the insolvent attempts to me
before blocking them, but if I intentionally block an
account if events are registered. Any help would be much
appreciated. Thanks.

 

[Johan Arwidmark]

You most likely have some computer on your network running software to
crack passwords on your server

Make sure you have enabled auditing, then you will find the computer
trying to logon in the security event log. Look for the following
events: 529, 644, 675, 676, and 681

There is a really great (IMHO) webcast about troubleshooting account
lockout issues given by Mike Resnick and Joe Vasil (MSFT)

Support WebCast: Microsoft Windows 2000 Server and Windows Server
2003: Password and Account Lockout Features
http://support.microsoft.com/default.aspx?kbid=813500


regards
Johan Arwidmark

Windows User Group - Nordic
http://www.wug-nordic.net

 

[Nathan]

-----Original Message-----

You most likely have some computer on your network

running software to

I agree, if it was just one or two accounts I would not be
alarmed. Even dozens of accounts across a large network
will be locked on a regular basis as users share passwords
that were changed. This most certainly looks like
a "brute force" attack against password security. Given
enough time it will even work, so identify the culprit
computer and associated user and take appropriate action.

 

[Veets]

I've seen this happen if you're running scheduled tasks/services with an old
account password that has expired. Just a thought.
Veets