Archived from groups: microsoft.public.win2000.active_directory (
More info?)
"Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
news:uwvZCPx2EHA.1144@TK2MSFTNGP09.phx.gbl...
> Hi
>
> Have a look at the following:
>
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
>
> It makes some recommendations about settings and also discusses
> troubleshooting issues like this. I usually approach this as follows:
That is a much better answer than my response. Those tools
(Lockoutstatus.exe and alockout.dll) are cool. THANKS.
LockoutStatus.exe is included with the ALTools.exe package that
is available at "Account Lockout and Management Tools" on the
Microsoft Web site:
http://go.microsoft.com/fwlink/?linkid=16174 or
<
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en >
Do you know of any tool -- or reasonable method to match
up -- to figure out the source IP address when an event log
entry records a Failed Logon Attempt on a Web server?
In theory, we could match up the IIS log, or perhaps a
Snort (or other IDS) log, with the Event log using some
tool.
The problem of course is that no IP address is given in
the Event Log for the failure (due to historical reasons
probably.)
--
Herb Martin
>
> 1. Use Lockoutstatus.exe to determine which DC's are getting hit with bad
> passwords.
>
> 2. Enable auditing on these DC's and review the event logs to see which
> clients the bad attempts are coming from. If the bad attempts are very
> frequent (many in the same second) then it's probably process driven.
>
> 3. If it looks process driven, use alockout.dll on those clients to
> determine the responsible process.
>
> 4. If it's not process driven, have a chat with the users who are typing
> their passwords badly!
>
> HTH
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:er1a$Ru2EHA.2180@TK2MSFTNGP10.phx.gbl...
> > <chv@anon.postalias> wrote in message
> > news:0a9101c4dad9$4b9179c0$a501280a@phx.gbl...
> >> Hi All,
> >>
> >> Users' accounts get randomly locked up. No changes have
> >> been made in AD or elswhere prior to this occurrence.
> >>
> >> Any ideas please ?
> >
> > Turn on Account Logon auditing and try to isolate the
> > source.
> >
> > Likely it is either some (forgotten) batch job or hard coded
> > program passwords, or you are actually under attack.
> >
> >
> > --
> > Herb Martin
> >
> >
> >>
> >> Thanks
> >>
> >>
> >>
> >>
> >>
> >
> >
>
>
Facebook
Twitter
Instagram