Accounts locked

[Guest]

Hi All,

Users' accounts get randomly locked up. No changes have
been made in AD or elswhere prior to this occurrence.

Any ideas please ?

Thanks

 

[Herb Martin]

Hi All,

Users' accounts get randomly locked up. No changes have
been made in AD or elswhere prior to this occurrence.

Any ideas please ?

Turn on Account Logon auditing and try to isolate the
source.

Likely it is either some (forgotten) batch job or hard coded
program passwords, or you are actually under attack.

 

[Mark Renoden [MSFT]]

Hi

Have a look at the following:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

It makes some recommendations about settings and also discusses
troubleshooting issues like this. I usually approach this as follows:

1. Use Lockoutstatus.exe to determine which DC's are getting hit with bad
passwords.

2. Enable auditing on these DC's and review the event logs to see which
clients the bad attempts are coming from. If the bad attempts are very
frequent (many in the same second) then it's probably process driven.

3. If it looks process driven, use alockout.dll on those clients to
determine the responsible process.

4. If it's not process driven, have a chat with the users who are typing
their passwords badly!

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Herb Martin]

Hi

Have a look at the following:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

It makes some recommendations about settings and also discusses
troubleshooting issues like this. I usually approach this as follows:

That is a much better answer than my response. Those tools
(Lockoutstatus.exe and alockout.dll) are cool. THANKS.

LockoutStatus.exe is included with the ALTools.exe package that
is available at "Account Lockout and Management Tools" on the
Microsoft Web site:

http://go.microsoft.com/fwlink/?linkid=16174 or
<
http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en >

Do you know of any tool -- or reasonable method to match
up -- to figure out the source IP address when an event log
entry records a Failed Logon Attempt on a Web server?

In theory, we could match up the IIS log, or perhaps a
Snort (or other IDS) log, with the Event log using some
tool.

The problem of course is that no IP address is given in
the Event Log for the failure (due to historical reasons
probably.)

--
Herb Martin

1. Use Lockoutstatus.exe to determine which DC's are getting hit with bad
passwords.

2. Enable auditing on these DC's and review the event logs to see which
clients the bad attempts are coming from. If the bad attempts are very
frequent (many in the same second) then it's probably process driven.

3. If it looks process driven, use alockout.dll on those clients to
determine the responsible process.

4. If it's not process driven, have a chat with the users who are typing
their passwords badly!

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.