Accounts locked

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi All,

Users' accounts get randomly locked up. No changes have
been made in AD or elswhere prior to this occurrence.

Any ideas please ?

Thanks
3 answers Last reply
More about accounts locked
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    <chv@anon.postalias> wrote in message
    news:0a9101c4dad9$4b9179c0$a501280a@phx.gbl...
    > Hi All,
    >
    > Users' accounts get randomly locked up. No changes have
    > been made in AD or elswhere prior to this occurrence.
    >
    > Any ideas please ?

    Turn on Account Logon auditing and try to isolate the
    source.

    Likely it is either some (forgotten) batch job or hard coded
    program passwords, or you are actually under attack.


    --
    Herb Martin


    >
    > Thanks
    >
    >
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi

    Have a look at the following:

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

    It makes some recommendations about settings and also discusses
    troubleshooting issues like this. I usually approach this as follows:

    1. Use Lockoutstatus.exe to determine which DC's are getting hit with bad
    passwords.

    2. Enable auditing on these DC's and review the event logs to see which
    clients the bad attempts are coming from. If the bad attempts are very
    frequent (many in the same second) then it's probably process driven.

    3. If it looks process driven, use alockout.dll on those clients to
    determine the responsible process.

    4. If it's not process driven, have a chat with the users who are typing
    their passwords badly!

    HTH
    --
    Mark Renoden [MSFT]
    Windows Platform Support Team
    Email: markreno@online.microsoft.com

    Please note you'll need to strip ".online" from my email address to email
    me; I'll post a response back to the group.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:er1a$Ru2EHA.2180@TK2MSFTNGP10.phx.gbl...
    > <chv@anon.postalias> wrote in message
    > news:0a9101c4dad9$4b9179c0$a501280a@phx.gbl...
    >> Hi All,
    >>
    >> Users' accounts get randomly locked up. No changes have
    >> been made in AD or elswhere prior to this occurrence.
    >>
    >> Any ideas please ?
    >
    > Turn on Account Logon auditing and try to isolate the
    > source.
    >
    > Likely it is either some (forgotten) batch job or hard coded
    > program passwords, or you are actually under attack.
    >
    >
    > --
    > Herb Martin
    >
    >
    >>
    >> Thanks
    >>
    >>
    >>
    >>
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
    news:uwvZCPx2EHA.1144@TK2MSFTNGP09.phx.gbl...
    > Hi
    >
    > Have a look at the following:
    >
    >
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
    >
    > It makes some recommendations about settings and also discusses
    > troubleshooting issues like this. I usually approach this as follows:

    That is a much better answer than my response. Those tools
    (Lockoutstatus.exe and alockout.dll) are cool. THANKS.

    LockoutStatus.exe is included with the ALTools.exe package that
    is available at "Account Lockout and Management Tools" on the
    Microsoft Web site:

    http://go.microsoft.com/fwlink/?linkid=16174 or
    <
    http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en >

    Do you know of any tool -- or reasonable method to match
    up -- to figure out the source IP address when an event log
    entry records a Failed Logon Attempt on a Web server?

    In theory, we could match up the IIS log, or perhaps a
    Snort (or other IDS) log, with the Event log using some
    tool.

    The problem of course is that no IP address is given in
    the Event Log for the failure (due to historical reasons
    probably.)

    --
    Herb Martin


    >
    > 1. Use Lockoutstatus.exe to determine which DC's are getting hit with bad
    > passwords.
    >
    > 2. Enable auditing on these DC's and review the event logs to see which
    > clients the bad attempts are coming from. If the bad attempts are very
    > frequent (many in the same second) then it's probably process driven.
    >
    > 3. If it looks process driven, use alockout.dll on those clients to
    > determine the responsible process.
    >
    > 4. If it's not process driven, have a chat with the users who are typing
    > their passwords badly!
    >
    > HTH
    > --
    > Mark Renoden [MSFT]
    > Windows Platform Support Team
    > Email: markreno@online.microsoft.com
    >
    > Please note you'll need to strip ".online" from my email address to email
    > me; I'll post a response back to the group.
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:er1a$Ru2EHA.2180@TK2MSFTNGP10.phx.gbl...
    > > <chv@anon.postalias> wrote in message
    > > news:0a9101c4dad9$4b9179c0$a501280a@phx.gbl...
    > >> Hi All,
    > >>
    > >> Users' accounts get randomly locked up. No changes have
    > >> been made in AD or elswhere prior to this occurrence.
    > >>
    > >> Any ideas please ?
    > >
    > > Turn on Account Logon auditing and try to isolate the
    > > source.
    > >
    > > Likely it is either some (forgotten) batch job or hard coded
    > > program passwords, or you are actually under attack.
    > >
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > >>
    > >> Thanks
    > >>
    > >>
    > >>
    > >>
    > >>
    > >
    > >
    >
    >
Ask a new question

Read More

Microsoft Active Directory Windows