U
Umiotoko
Very strange - We had a mass lockout of every user account in AD
yesterday. It was traced to a laptop running WinXP-SP1.
A check of the Security log on the DC shows about 3000 failure audits
over a 2 minute period, at least 10 per user account. It has somehow
walked the AD tree as it's tried everything across multiple OU's
including disabled user accounts.
The laptop is running Symantec Antivirus Corporate 8.1 with
definitions from June 9th.
Anyone ever seen anything like this?
Event Log Sample
================
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 6/22/2004
Time: 12:07:02 PM
User: NT AUTHORITY\SYSTEM
Computer: xxxxxxx-x
Description:
Logon Failure:
Reason: Account locked out
User Name: joeuser
Domain: VENTURI-SA5BUXB
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VENTURI-SA5BUXB
yesterday. It was traced to a laptop running WinXP-SP1.
A check of the Security log on the DC shows about 3000 failure audits
over a 2 minute period, at least 10 per user account. It has somehow
walked the AD tree as it's tried everything across multiple OU's
including disabled user accounts.
The laptop is running Symantec Antivirus Corporate 8.1 with
definitions from June 9th.
Anyone ever seen anything like this?
Event Log Sample
================
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 6/22/2004
Time: 12:07:02 PM
User: NT AUTHORITY\SYSTEM
Computer: xxxxxxx-x
Description:
Logon Failure:
Reason: Account locked out
User Name: joeuser
Domain: VENTURI-SA5BUXB
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VENTURI-SA5BUXB