Account Lockout policy problem

[Guest]

I implemented an account lockout policy (5 invalid logons) for the domain's
default policy. I noticed that users account on the domain always lockout. I
enabled auditing for account logon events and object access but no events are
logged when I look at security in event viewer. I decided to set the lockout
policy to 'not defined' but still users lock out. Does my system have a
security issue? How can I check and remedy this. I'm using windows 2000
server SP4 and is also a SQL 2000 server. Thanks for any help.

 

[Steven L Umbach]

First off I suggest you set the threshold to at least ten per Microsoft's
recommendations. Then enable auditing of "account logon events" and account
management in Domain Controller Security Policy. You can leave auditing enabled for
the domain but you will find most of the information in the domain controller
security logs though you should fine failed logons in the security log of the domain
computers for failed logons due to account lockouts. It is hard to say if you have a
security issue without knowing more. Generally large amounts of failed logons to
administrator account for the domain and local administrator accounts on domain
computers are a reason for concern and note those accounts can not be locked out by
default. See the links below and pay attention on how to use Event Comb to scan
multiple computers for specific events. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch02.mspx -- great
article on domain level policy recommendations.
http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx -- Microsoft
security guidance for small businesses.