Sign in with
Sign up | Sign in
Your question

Accounts locked

Last response: in Windows 2000/NT
Share
Anonymous
December 5, 2004 9:47:08 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi All,

Users' accounts get randomly locked up. No changes have
been made in AD or elswhere prior to this occurrence.

Any ideas please ?

Thanks

More about : accounts locked

Anonymous
December 5, 2004 12:57:17 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

<chv@anon.postalias> wrote in message
news:0a9101c4dad9$4b9179c0$a501280a@phx.gbl...
> Hi All,
>
> Users' accounts get randomly locked up. No changes have
> been made in AD or elswhere prior to this occurrence.
>
> Any ideas please ?

Turn on Account Logon auditing and try to isolate the
source.

Likely it is either some (forgotten) batch job or hard coded
program passwords, or you are actually under attack.


--
Herb Martin


>
> Thanks
>
>
>
>
>
Anonymous
December 6, 2004 11:45:34 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi

Have a look at the following:

http://www.microsoft.com/technet/prodtechnol/windowsser...

It makes some recommendations about settings and also discusses
troubleshooting issues like this. I usually approach this as follows:

1. Use Lockoutstatus.exe to determine which DC's are getting hit with bad
passwords.

2. Enable auditing on these DC's and review the event logs to see which
clients the bad attempts are coming from. If the bad attempts are very
frequent (many in the same second) then it's probably process driven.

3. If it looks process driven, use alockout.dll on those clients to
determine the responsible process.

4. If it's not process driven, have a chat with the users who are typing
their passwords badly!

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Herb Martin" <news@LearnQuick.com> wrote in message
news:er1a$Ru2EHA.2180@TK2MSFTNGP10.phx.gbl...
> <chv@anon.postalias> wrote in message
> news:0a9101c4dad9$4b9179c0$a501280a@phx.gbl...
>> Hi All,
>>
>> Users' accounts get randomly locked up. No changes have
>> been made in AD or elswhere prior to this occurrence.
>>
>> Any ideas please ?
>
> Turn on Account Logon auditing and try to isolate the
> source.
>
> Likely it is either some (forgotten) batch job or hard coded
> program passwords, or you are actually under attack.
>
>
> --
> Herb Martin
>
>
>>
>> Thanks
>>
>>
>>
>>
>>
>
>
Anonymous
December 6, 2004 11:45:35 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
news:uwvZCPx2EHA.1144@TK2MSFTNGP09.phx.gbl...
> Hi
>
> Have a look at the following:
>
>
http://www.microsoft.com/technet/prodtechnol/windowsser...
>
> It makes some recommendations about settings and also discusses
> troubleshooting issues like this. I usually approach this as follows:

That is a much better answer than my response. Those tools
(Lockoutstatus.exe and alockout.dll) are cool. THANKS.

LockoutStatus.exe is included with the ALTools.exe package that
is available at "Account Lockout and Management Tools" on the
Microsoft Web site:

http://go.microsoft.com/fwlink/?linkid=16174 or
<
http://www.microsoft.com/downloads/details.aspx?FamilyI... >

Do you know of any tool -- or reasonable method to match
up -- to figure out the source IP address when an event log
entry records a Failed Logon Attempt on a Web server?

In theory, we could match up the IIS log, or perhaps a
Snort (or other IDS) log, with the Event log using some
tool.

The problem of course is that no IP address is given in
the Event Log for the failure (due to historical reasons
probably.)

--
Herb Martin


>
> 1. Use Lockoutstatus.exe to determine which DC's are getting hit with bad
> passwords.
>
> 2. Enable auditing on these DC's and review the event logs to see which
> clients the bad attempts are coming from. If the bad attempts are very
> frequent (many in the same second) then it's probably process driven.
>
> 3. If it looks process driven, use alockout.dll on those clients to
> determine the responsible process.
>
> 4. If it's not process driven, have a chat with the users who are typing
> their passwords badly!
>
> HTH
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:er1a$Ru2EHA.2180@TK2MSFTNGP10.phx.gbl...
> > <chv@anon.postalias> wrote in message
> > news:0a9101c4dad9$4b9179c0$a501280a@phx.gbl...
> >> Hi All,
> >>
> >> Users' accounts get randomly locked up. No changes have
> >> been made in AD or elswhere prior to this occurrence.
> >>
> >> Any ideas please ?
> >
> > Turn on Account Logon auditing and try to isolate the
> > source.
> >
> > Likely it is either some (forgotten) batch job or hard coded
> > program passwords, or you are actually under attack.
> >
> >
> > --
> > Herb Martin
> >
> >
> >>
> >> Thanks
> >>
> >>
> >>
> >>
> >>
> >
> >
>
>
!