All accounts get locked out




I have a Windows 2000 network with 3 domain controllers (Advanced Server)
and about 50 Windows 2000 Professional clients.
All the accounts get locked out, strangely, about three times a day. The
frequency of this has increased. The account lockout policies are set to
default only. I have checked the Domain Security Policy as well as the
Default Domain Policy. I don't notice anything out of way.
However, in Event log, I get messages like:
Logon Failure:

Reason: Unknown user name or bad password

User Name: administrador


Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: BRBROWN

My domain name is GLOBALTECH, and there's no workstation named BRBROWN!!!

I also get some messages like:
Logon Failure:

Reason: Account locked out

User Name: harshal

Domain: ISERVE

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: COMP21

Here, the username is true, even though the domain name and workstation do
not exist!!

The above are Failure Audits.
There are also success audits:
Domain Policy Changed: Password Policy modified



Caller User Name: NETFIN$

Caller Domain: GLOBALTECH

Caller Logon ID: (0x0,0x3E7)

Privileges: -

Kerberos Policy Changed:

Changed By:

User Name: NETFIN$


Logon ID: (0x0,0x3E7)

Changes made:

('--' means no changes, otherwise each change is shown as:

<ParameterName>: <new value> (<old value>))


NETFIN is my main domain controller.
I have Microsoft ISA on a domain controller called SERVER3.
IIS isn't running anywhere on a live IP.

Am I getting attacked?? Please help!!

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question