Account locking out

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I'm on a Windows 2000 domain. We're on a single site with 3 DCs, all
configured as GCs. There are approximately 350 users.

We have a service account that's suddenly continually locking itself out. I
understand that someone somewhere has probably configured something to start
using the credentials of this account and probably fat-fingered the password,
but I need to determine this down to a machine if possible. We have about 35
servers and it will be a huge headache to scour every single machine.

The security event log doesn't seem to show me the machine that the lockout
is occurring on. The log is set to have a max size of 100 MB and overwrite
events as needed; I've exported it to prevent anything relevant from being
overwritten. The domain auditing policy is as follows:

Account Logon Events S, F
Account Management S ,F
Directory Service Access S, F
Logon Events S, F
Object Access S, F
Policy Change S, F
System Events F

Any help would be appreciated.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I believe if you search the security logs of all the domain controllers for
lockout events ID's that it may show the user account name and computer
name - but not 100 percent sure. Just make sure that you have auditing of
account management enabled in Domain Controller Security Policy also. Event
Comb will be very useful for you in searching the domain controller security
logs for specific event ID's. The other thing you could try is to netlogon
logging on your domain controllers starting with the pdc fsmo. There is a
free tool to parse the netlogon log looking for logon failures. The link
below may help which includes tools to use and a link to a white paper on
account lockouts that also explains netlogon logging. --- Steve

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

"Molnir" <Molnir@discussions.microsoft.com> wrote in message
news:4C91D7BA-EF6C-4304-9877-F1810B957758@microsoft.com...
> I'm on a Windows 2000 domain. We're on a single site with 3 DCs, all
> configured as GCs. There are approximately 350 users.
>
> We have a service account that's suddenly continually locking itself out.
> I
> understand that someone somewhere has probably configured something to
> start
> using the credentials of this account and probably fat-fingered the
> password,
> but I need to determine this down to a machine if possible. We have about
> 35
> servers and it will be a huge headache to scour every single machine.
>
> The security event log doesn't seem to show me the machine that the
> lockout
> is occurring on. The log is set to have a max size of 100 MB and overwrite
> events as needed; I've exported it to prevent anything relevant from being
> overwritten. The domain auditing policy is as follows:
>
> Account Logon Events S, F
> Account Management S ,F
> Directory Service Access S, F
> Logon Events S, F
> Object Access S, F
> Policy Change S, F
> System Events F
>
> Any help would be appreciated.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" wrote:

> I believe if you search the security logs of all the domain controllers for
> lockout events ID's that it may show the user account name and computer
> name - but not 100 percent sure. Just make sure that you have auditing of
> account management enabled in Domain Controller Security Policy also. Event
> Comb will be very useful for you in searching the domain controller security
> logs for specific event ID's. The other thing you could try is to netlogon
> logging on your domain controllers starting with the pdc fsmo. There is a
> free tool to parse the netlogon log looking for logon failures. The link
> below may help which includes tools to use and a link to a white paper on
> account lockouts that also explains netlogon logging. --- Steve
>
> http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en


Thanks!

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"" wrote:
> I believe if you search the security logs of all the domain
> controllers for
> lockout events ID's that it may show the user account name and
> computer
> name - but not 100 percent sure. Just make sure that you have
> auditing of
> account management enabled in Domain Controller Security
> Policy also. Event
> Comb will be very useful for you in searching the domain
> controller security
> logs for specific event ID's. The other thing you could try is
> to netlogon
> logging on your domain controllers starting with the pdc fsmo.
> There is a
> free tool to parse the netlogon log looking for logon
> failures. The link
> below may help which includes tools to use and a link to a
> white paper on
> account lockouts that also explains netlogon logging. ---
> Steve
>
> http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
>
> "Molnir" <Molnir@discussions.microsoft.com> wrote in message
> news:4C91D7BA-EF6C-4304-9877-F1810B957758@microsoft.com...
> > I'm on a Windows 2000 domain. We're on a single site with 3
> DCs, all
> > configured as GCs. There are approximately 350 users.
> >
> > We have a service account that's suddenly continually
> locking itself out.
> > I
> > understand that someone somewhere has probably configured
> something to
> > start
> > using the credentials of this account and probably
> fat-fingered the
> > password,
> > but I need to determine this down to a machine if possible.
> We have about
> > 35
> > servers and it will be a huge headache to scour every single
> machine.
> >
> > The security event log doesn't seem to show me the machine
> that the
> > lockout
> > is occurring on. The log is set to have a max size of 100 MB
> and overwrite
> > events as needed; I've exported it to prevent anything
> relevant from being
> > overwritten. The domain auditing policy is as follows:
> >
> > Account Logon Events S, F
> > Account Management S ,F
> > Directory Service Access S, F
> > Logon Events S, F
> > Object Access S, F
> > Policy Change S, F
> > System Events F
> >
> > Any help would be appreciated.
> >

And in addition to what Steven said:

Use the EventCombMT.exe tool, a multithreaded tool, to gather specific
events from event logs from several different computers to one central
location and then search those event logs for specific data of
interest. Some specific search categories are built into the tool,
such as account lockouts, which is already configured to include
events 529, 644, 675, 676, and 681.

Cheers,

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Security-Account-locking-ftopict551015.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1747058