Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Account Lock Out

Status
Not open for further replies.

skymut

MIS
May 7, 2002
36
Maybe some else has seen this.

2000/NT mixed domain.

Came in this morning, logged on to our domain, everything running fine. Did have trouble with a DC going out a couple of hours later. Turned out to be a hardware issue, and there are 3 other DCs in the domain, other than some apps not being available, everything went smooth.

I discovered, after getting the downed server back up, that I couldn't log on, neither could my work partner. I was able to get to the AD User and Computer admin tool, and EVERY user account that was a memeber of the Domain Admins group had been locked out. This obviously had happened between the hours of 7:30 a.m. (when I arrived and logged on to the domain with my laptop) and when I got the sick server back up, ~ 9:45a.m.

My first thought is that we were hacked, anyone else have a theory as to why this would happen? 'If at first you don't succeed, then skydiving isn't for you.'
 
Did the DC that failed happen to be your only GC?
 
GC = Global Catalog, right?
The answer is no, the machine that failed is a DC, but not GC. Actually, the machine that failed is NT. 'If at first you don't succeed, then skydiving isn't for you.'
 
Okay, has anyone run into this?

This is happening again. No problems that I know of, but ALL accounts in one of our two domains are 'locking'. We have over 450 users, and every single one of them is being locked out. After unlocking the account, probably within 15 to 20 minutes, the account is locked again.

It just started this morning at around 10:30 a.m. I have all security patches applied to every DC, the virus definitions are only about 2 weeks old.

Anyone? Anyone? Bueller? Bueller?

'If at first you don't succeed, then skydiving isn't for you.'
 
This started happening to us in early October. I immediately enabled security auditing of failed attempts on all of the servers to try and track down the problem.

Since then, I have observed some strange/foreign workstation names in the Security Log (e.g. DAVID1, PETER-W6IFH9UQK, HCCLB, THOMAS, ... CANALUS, JER, BENJI). Sometimes it's all the accounts. Sometimes it's just a subset of the accounts such as the Administrators.

As a next step, I downloaded the the following Account Lockout and Management Tools:

I applied its acctinfo.dll to all of the servers to get "Additional Account Info" to show bad password counts and other information. However, only some of the locked accounts showed non-zero counts.

I've also done Patten Updates and Virus Sweeps of the network to try and rule out a virus as being the cause, but nothing came up there.

My next step was to get a network analyzer to try and better monitor when any of these strange/foreign machines tried to connect to the network. Then I could try and use the router to obtain their IP information.

Tonight I also plan on rebooting all of the servers, so that these latest Windows security updates can properly take effect.
 
Im having a similar problem.
But it's only select machines that seem to be locking out there users. It seems to be a morning thing. Most of the PC's are 98.
Ive selectively been enabling auditing but haven't found anything useful.
I'm starting to wonder if it might be the cleaners at night, but that wouldn't explain why I get locked out aswell when I try to logon to the same machine right after.
 
We did some 'sniffing' and found some strange broadcasts on our network. We tracked them down to some workstations that were broadcasting and found a couple of viruses.

The two we found are located at:


and


We found that when we started eliminating the viruses, we haven't had the problem. Incidentally, our virus definitions were dated 9/20/03 - so they weren't that far out.

'If at first you don't succeed, then skydiving isn't for you.'
 
I've been very diligent in keeping Antivirus upto date. And I force a virus scan on all workstations everyday. I can't find any viruses. Users are still getting locked out. Even in the middle of the day. It seems to have developed a pattern of only effecting certain people now. but i don't see the link between them.
 
No, skymut I don't have the answer to the problem, but I'm having the very same issue. In my case it is only happen with one user.
 
This issue is not resolved the user had another computer that she was logged onto with the old password as soon as she logged off it resolved the issue.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top