Win2000 AD user account mass lockout - Strange !



Very strange - We had a mass lockout of every user account in AD
yesterday. It was traced to a laptop running WinXP-SP1.

A check of the Security log on the DC shows about 3000 failure audits
over a 2 minute period, at least 10 per user account. It has somehow
walked the AD tree as it's tried everything across multiple OU's
including disabled user accounts.

The laptop is running Symantec Antivirus Corporate 8.1 with
definitions from June 9th.

Anyone ever seen anything like this?

Event Log Sample

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 6/22/2004
Time: 12:07:02 PM
Computer: xxxxxxx-x
Logon Failure:
Reason: Account locked out
User Name: joeuser
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VENTURI-SA5BUXB

Dan Sime


On the face of it, it appears you have a virus problem or
security problem on that laptop. I know this may appear
to be an obvious comment. A few things that might help
discover 'how' it happened could be things like:
Is there a firewall in place?
Are there any abnormal processes running in task manager?
Does the laptop connect to the internet through
anything other than your network? (i.e. is it using it's
own connection to the internet, providing an 'un-
protected' route into your network from the outside.
Have you checked Anti-Virus provider websites for info
on Viruses that do this?

Sorry that these are perhaps obvious questions, but those
are the areas I would research to get an idea of 'How'.

Probably not much help, but just my thoughts on it.


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question