Local user accounts constantly locking out - please help!

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.general,microsoft.public.win2000.security,microsoft.public.windows.server.general,microsoft.public.windows.server.security (More info?)

Hi All,

Windows 2000 Server SP4. Ran without a glitch for 2 years.
Member server, not a DC. Used primarily as Web and FTP server.
Behind a Firewall.
Since a few days, local user accounts (including IUSR, IWAM, etc.) are
constantly locking out. The won't stay unlocked for more than a few minutes.
No special settings in group policies, all default settings.
Nothing obviously wrong in Logs.

The only anomalies I could spot are:

- that the License Logging Service on the DC refuses to start. Could this be
related?
(I can ping the DC from the Web server).

- the Firewall logs indicate MANY port 138 scans from 2 or 3 machines on our
network - always the same ones. Could this be related?

Any hint would be greatly appreciated!!!


TIA

Paul Dussault, MCP
4 answers Last reply
More about local user accounts constantly locking help
  1. Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.general,microsoft.public.win2000.security,microsoft.public.windows.server.general,microsoft.public.windows.server.security (More info?)

    "Paul Dussault" <paulduss@hotmail.com> wrote in message
    news:uHDUHpTBFHA.3840@tk2msftngp13.phx.gbl...
    > Hi All,
    >
    > Windows 2000 Server SP4. Ran without a glitch for 2 years.
    > Member server, not a DC. Used primarily as Web and FTP server.
    > Behind a Firewall.
    > Since a few days, local user accounts (including IUSR, IWAM, etc.) are
    > constantly locking out. The won't stay unlocked for more than a few
    minutes.
    > No special settings in group policies, all default settings.
    > Nothing obviously wrong in Logs.
    >
    > The only anomalies I could spot are:
    >
    > - that the License Logging Service on the DC refuses to start. Could this
    be
    > related?

    not likely

    > (I can ping the DC from the Web server).
    >
    > - the Firewall logs indicate MANY port 138 scans from 2 or 3 machines on
    our
    > network - always the same ones. Could this be related?
    >

    highly likely
    deny these machines all access then have a tech get to then

    > Any hint would be greatly appreciated!!!
    >
    >
    > TIA
    >
    > Paul Dussault, MCP
    >

    While you may have a malicious user at those machines, it is more
    likely that you have some machines that need to be reformatted and
    reimages as they have become "infected".

    see also:

    Account Lockout and Management Tools
    http://go.microsoft.com/fwlink/?linkid=16174

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
  2. Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.general,microsoft.public.win2000.security,microsoft.public.windows.server.general,microsoft.public.windows.server.security (More info?)

    Could the pc which scan the server is infected by virus?

    rdgs
    Frank

    "Paul Dussault" <paulduss@hotmail.com> wrote in message
    news:uHDUHpTBFHA.3840@tk2msftngp13.phx.gbl...
    > Hi All,
    >
    > Windows 2000 Server SP4. Ran without a glitch for 2 years.
    > Member server, not a DC. Used primarily as Web and FTP server.
    > Behind a Firewall.
    > Since a few days, local user accounts (including IUSR, IWAM, etc.) are
    > constantly locking out. The won't stay unlocked for more than a few
    minutes.
    > No special settings in group policies, all default settings.
    > Nothing obviously wrong in Logs.
    >
    > The only anomalies I could spot are:
    >
    > - that the License Logging Service on the DC refuses to start. Could this
    be
    > related?
    > (I can ping the DC from the Web server).
    >
    > - the Firewall logs indicate MANY port 138 scans from 2 or 3 machines on
    our
    > network - always the same ones. Could this be related?
    >
    > Any hint would be greatly appreciated!!!
    >
    >
    > TIA
    >
    > Paul Dussault, MCP
    >
    >
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.general,microsoft.public.win2000.security,microsoft.public.windows.server.general (More info?)

    It could be that the if you are using a web server related service using this
    ID and changed the IUSR password.. everytime the service is restarted it uses
    the wrong password..Once it reaches the threshold count..it locks out.. just
    a hunch though..

    "Frank" wrote:

    > Could the pc which scan the server is infected by virus?
    >
    > rdgs
    > Frank
    >
    > "Paul Dussault" <paulduss@hotmail.com> wrote in message
    > news:uHDUHpTBFHA.3840@tk2msftngp13.phx.gbl...
    > > Hi All,
    > >
    > > Windows 2000 Server SP4. Ran without a glitch for 2 years.
    > > Member server, not a DC. Used primarily as Web and FTP server.
    > > Behind a Firewall.
    > > Since a few days, local user accounts (including IUSR, IWAM, etc.) are
    > > constantly locking out. The won't stay unlocked for more than a few
    > minutes.
    > > No special settings in group policies, all default settings.
    > > Nothing obviously wrong in Logs.
    > >
    > > The only anomalies I could spot are:
    > >
    > > - that the License Logging Service on the DC refuses to start. Could this
    > be
    > > related?
    > > (I can ping the DC from the Web server).
    > >
    > > - the Firewall logs indicate MANY port 138 scans from 2 or 3 machines on
    > our
    > > network - always the same ones. Could this be related?
    > >
    > > Any hint would be greatly appreciated!!!
    > >
    > >
    > > TIA
    > >
    > > Paul Dussault, MCP
    > >
    > >
    > >
    > >
    > >
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    I am experiencing the same issue and as near as we can tell it started
    on the 14th of Feb.
    Most all member servers and desktop PC's - the local accounts are
    locking out. We went through all of the servers last night and unlocked
    all accounts but this morning some of the local admin accounts are
    locked again.
    We have an enterprise anti-virus solution that so far shows nothing,
    same with the event logs.
    So far the only fallout seems to be just the accounts locking.?

    Eddie Barnhart


    --
    Eddie-Net
    ------------------------------------------------------------------------
    Posted via http://www.webservertalk.com
    ------------------------------------------------------------------------
    View this thread: http://www.webservertalk.com/message898276.html
Ask a new question

Read More

Windows Server Microsoft User Accounts Servers Windows