Sign in with
Sign up | Sign in
Your question

Local user accounts constantly locking out - please help!

Last response: in Windows 2000/NT
Share
Anonymous
January 28, 2005 11:07:09 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.general,microsoft.public.win2000.security,microsoft.public.windows.server.general,microsoft.public.windows.server.security (More info?)

Hi All,

Windows 2000 Server SP4. Ran without a glitch for 2 years.
Member server, not a DC. Used primarily as Web and FTP server.
Behind a Firewall.
Since a few days, local user accounts (including IUSR, IWAM, etc.) are
constantly locking out. The won't stay unlocked for more than a few minutes.
No special settings in group policies, all default settings.
Nothing obviously wrong in Logs.

The only anomalies I could spot are:

- that the License Logging Service on the DC refuses to start. Could this be
related?
(I can ping the DC from the Web server).

- the Firewall logs indicate MANY port 138 scans from 2 or 3 machines on our
network - always the same ones. Could this be related?

Any hint would be greatly appreciated!!!


TIA

Paul Dussault, MCP
Anonymous
January 28, 2005 11:23:13 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.general,microsoft.public.win2000.security,microsoft.public.windows.server.general,microsoft.public.windows.server.security (More info?)

"Paul Dussault" <paulduss@hotmail.com> wrote in message
news:uHDUHpTBFHA.3840@tk2msftngp13.phx.gbl...
> Hi All,
>
> Windows 2000 Server SP4. Ran without a glitch for 2 years.
> Member server, not a DC. Used primarily as Web and FTP server.
> Behind a Firewall.
> Since a few days, local user accounts (including IUSR, IWAM, etc.) are
> constantly locking out. The won't stay unlocked for more than a few
minutes.
> No special settings in group policies, all default settings.
> Nothing obviously wrong in Logs.
>
> The only anomalies I could spot are:
>
> - that the License Logging Service on the DC refuses to start. Could this
be
> related?

not likely

> (I can ping the DC from the Web server).
>
> - the Firewall logs indicate MANY port 138 scans from 2 or 3 machines on
our
> network - always the same ones. Could this be related?
>

highly likely
deny these machines all access then have a tech get to then

> Any hint would be greatly appreciated!!!
>
>
> TIA
>
> Paul Dussault, MCP
>

While you may have a malicious user at those machines, it is more
likely that you have some machines that need to be reformatted and
reimages as they have become "infected".

see also:

Account Lockout and Management Tools
http://go.microsoft.com/fwlink/?linkid=16174

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
January 29, 2005 1:45:29 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.general,microsoft.public.win2000.security,microsoft.public.windows.server.general,microsoft.public.windows.server.security (More info?)

Could the pc which scan the server is infected by virus?

rdgs
Frank

"Paul Dussault" <paulduss@hotmail.com> wrote in message
news:uHDUHpTBFHA.3840@tk2msftngp13.phx.gbl...
> Hi All,
>
> Windows 2000 Server SP4. Ran without a glitch for 2 years.
> Member server, not a DC. Used primarily as Web and FTP server.
> Behind a Firewall.
> Since a few days, local user accounts (including IUSR, IWAM, etc.) are
> constantly locking out. The won't stay unlocked for more than a few
minutes.
> No special settings in group policies, all default settings.
> Nothing obviously wrong in Logs.
>
> The only anomalies I could spot are:
>
> - that the License Logging Service on the DC refuses to start. Could this
be
> related?
> (I can ping the DC from the Web server).
>
> - the Firewall logs indicate MANY port 138 scans from 2 or 3 machines on
our
> network - always the same ones. Could this be related?
>
> Any hint would be greatly appreciated!!!
>
>
> TIA
>
> Paul Dussault, MCP
>
>
>
>
>
Related resources
Anonymous
February 3, 2005 2:25:02 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.general,microsoft.public.win2000.security,microsoft.public.windows.server.general (More info?)

It could be that the if you are using a web server related service using this
ID and changed the IUSR password.. everytime the service is restarted it uses
the wrong password..Once it reaches the threshold count..it locks out.. just
a hunch though..

"Frank" wrote:

> Could the pc which scan the server is infected by virus?
>
> rdgs
> Frank
>
> "Paul Dussault" <paulduss@hotmail.com> wrote in message
> news:uHDUHpTBFHA.3840@tk2msftngp13.phx.gbl...
> > Hi All,
> >
> > Windows 2000 Server SP4. Ran without a glitch for 2 years.
> > Member server, not a DC. Used primarily as Web and FTP server.
> > Behind a Firewall.
> > Since a few days, local user accounts (including IUSR, IWAM, etc.) are
> > constantly locking out. The won't stay unlocked for more than a few
> minutes.
> > No special settings in group policies, all default settings.
> > Nothing obviously wrong in Logs.
> >
> > The only anomalies I could spot are:
> >
> > - that the License Logging Service on the DC refuses to start. Could this
> be
> > related?
> > (I can ping the DC from the Web server).
> >
> > - the Firewall logs indicate MANY port 138 scans from 2 or 3 machines on
> our
> > network - always the same ones. Could this be related?
> >
> > Any hint would be greatly appreciated!!!
> >
> >
> > TIA
> >
> > Paul Dussault, MCP
> >
> >
> >
> >
> >
>
>
>
Anonymous
February 18, 2005 3:03:08 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I am experiencing the same issue and as near as we can tell it started
on the 14th of Feb.
Most all member servers and desktop PC's - the local accounts are
locking out. We went through all of the servers last night and unlocked
all accounts but this morning some of the local admin accounts are
locked again.
We have an enterprise anti-virus solution that so far shows nothing,
same with the event logs.
So far the only fallout seems to be just the accounts locking.?

Eddie Barnhart



--
Eddie-Net
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message898276.html
!