I'm experiencing random account lockouts all of a sudden. Users then get errors like - the system detected a possible attempt to compromise security. Scanned computers for virusses and spyware etc.Dont see anything related to this in the event logs.Only one site on the WAN is having this problem.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
account lockouts
- Thread starter forumit
- Start date
Do you have auditing of objects enabled as part of your security policy. This would start logging events in the security event log.
Never heard of Windows generating this type of message (the system detected a possible attempt to compromise security). Was it a pop-up generated by a particular program?
Never heard of Windows generating this type of message (the system detected a possible attempt to compromise security). Was it a pop-up generated by a particular program?
PCollinsVan
IS-IT--Management
We had an issue like this, looked in Event Viewer, Security, and saw tons of failed logins all coming from one computer. It had some kind of malware that was attempting logins to the domain, and after x number of failed attempts, the respective account gets locked out. We disconnected that pc but haven't investigated it yet. Funny our centralized Trend Micro didn't pick it up.
you might be infected by win32/conficker
M. Knorr
MCSE, MCTS, MCSA, CCNA
M. Knorr
MCSE, MCTS, MCSA, CCNA
- Thread starter
- #5
Users get "the system detected a possible attempt to compromise security" while trying to open a map network drive.I'm aware of win32/conficker but we are running latest MS patches and SEP. Why is only one site having this problem. Using software program Altools - account lockout status to track these lockouts. It appears that accounts are getting lockout on a different DC not on this site.
- Thread starter
- #6
Use the lockoutstatus tool to get more info about the locked accounts;
I read an excellent blog article not too long ago as well about troubleshooting account lockouts. I'll see if I can find it again..
Paul
MCTS: Exchange 2007, Configuration
MCSA:2003
MCSE:2003
MCITP:Enterprise Administrator
RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)
Difficult takes a day, impossible takes a week
I read an excellent blog article not too long ago as well about troubleshooting account lockouts. I'll see if I can find it again..
Paul
MCTS: Exchange 2007, Configuration
MCSA:2003
MCSE:2003
MCITP:Enterprise Administrator
RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)
Difficult takes a day, impossible takes a week
Paul
MCTS: Exchange 2007, Configuration
MCSA:2003
MCSE:2003
MCITP:Enterprise Administrator
RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)
Difficult takes a day, impossible takes a week
- Thread starter
- #9
I'm using the lockoutstatus tool and its shows that account is locked out on the DC's. According to this utility the lock is coming from the same DC everytime someone gets locked out - not DC at our site.I dont have access to DC to check event logs etc. Server team suggests that it's a local pc problem. Only users at one site gets locked out which means its a site specific DC problem?
Without access to that DC's security event log tracking down the problem will be much harder.. Could you ask someone with access to the DC to either check the security log for you or ask them to dump the log out to a file and send it to you?
Paul
MCTS: Exchange 2007, Configuration
MCSA:2003
MCSE:2003
MCITP:Enterprise Administrator
RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)
Difficult takes a day, impossible takes a week
Paul
MCTS: Exchange 2007, Configuration
MCSA:2003
MCSE:2003
MCITP:Enterprise Administrator
RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)
Difficult takes a day, impossible takes a week
- Thread starter
- #11
Got this error from event log on one workstation where user is experiencing account lockouts.
Source:LSASRV
Category: SPNEGO
Event: 40960
The Security System detected an attempted downgrade attack for server cifs/servername.mydomain.local. The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
(0xc0000234)".
Busy investigating this but found nothing so far.
Source:LSASRV
Category: SPNEGO
Event: 40960
The Security System detected an attempted downgrade attack for server cifs/servername.mydomain.local. The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
(0xc0000234)".
Busy investigating this but found nothing so far.
- Status
Similar threads
- Locked
- Question
- Locked
- Question