Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

repeated mass account lockouts 1

Status
Not open for further replies.

pehi

Technical User
Feb 8, 2002
53
GB
Hi - we have a serious problem in our User domain, recently an increasing number of users are having their accounts locked out, whilst in any state from attempting to log on, to logged on, to not logged on at all.

I've reset all users in the domain multiple times to clear the locked out check box, and it still recurs.

I've also synchronized the entire domain repeatedly.
 
What is the lock-out times on the accounts ?
Does it happen to accounts at precisely the same time ?
Does you Anti Virus Software have latest update ?
If not, why not ?
Does it happen to the same accounts ?
Do these accounts have profiles ?
What happens if the profiles are deleted ?
What happens if the account is deleted and added again?
Does it happen to all members of a group ?
What happens if the group is deleted and recreated ?

I know this is a lot of questions, but hopefully might lead you on to the right trail.


Pete....
 
Hi - lockout times are intermittent, but can recur within 20 minutes
AV software is up to date
Multiple accounts affected intermittently
Not all accounts have profiles
Not ocurring by group
 
But do lock outs occur at the same time, to the second ?

I ask this because if this occurs, it is more likely to be software related - if not it could be a rogue user! Therefore I'd create a new Admin account and change the password and disable the old one, cant be too careful. Also, being paranoid, I'd revoke all other users Admin rights. Then at least you know that you can trust you! (if you see what I mean)

Does the network have a direct internet connection or is it dial up ? If you suspend internet activity for a period of time, does it stop ?

Pete...
 
Also, check the event logs on the users' domain controller(s). The security field should have some results in there from failed logon attempts. Give us some examples of those (w/ event IDs). ________________________________________
Check out
 
There aren't any excessive login failures (in the logs), other than run-of-the-mill password errors, or normal policy based lockouts:

Logon Failure:
Reason: Account currently disabled
User Name: SMSClient_RQ1
Domain: SPORT
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\BACKUP1

Logon Failure:
Reason: Unknown user name or bad password
User Name: PHILIPHO
Domain:
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\LPC316
 
What anti-virus software do you use ?
What happens if it is suspended on the server ?
Do the lockouts still occur for the suspended period ?

Pete...
 
Hi - we're using Symantec v 7.6, the lockouts occur even when SAV is disabled.
 
Do your users sit at the same PC all day each day, or do they move from PC to PC throught the day ?

Pete...
 
A mixture of both, also this is occuring nationwide, so users in regional sites will be authenticating against BDC's, not just the PDC
 
I too am also experiencing this issue. If you have a premier support contract with Microsoft, then you can request a software download, of a checked build of netlogon.dll, which will give you a comprehensive breakdown of logon information by account name.
The microsoft knowledge base article is 189541.
Have a look and let me know how you get on.
 
Checked netlogon.dll is not of any help with this issue as the users have not attempted to log since last log off.
The account is simply "locked out" next logon attempt.
 
We had to give up in the end - our policy is now set to "do not lock out" and we're just going to have to wait to go native on W2K.
 
we are also having the same problem at my location. Just out of the blue 30-40% of our users are getting locked out for no reason. It has happened twice so far. Once in December 02 again in January 03. Not sure why its happening. Http:\\"It's the 21st Century I was promised a flying car! Where is my flying car?"
[afro]
 
We are having the same problem, although it seems to be tied in with a group. Every user in the group "Domain Admins" is being locked out simultaniously every few weeks. We have to come in and manually uncheck the account locked out box to allow those users to log in. Its always been the "Domain Admin" group and everyone in it locked out. I'm glad to see that I am not the only one out there having this problem as there is no article in Microsoft Knowledgebase concerning this. I sure hope there is someone out there who has had this problem and has found a fix.
 
There seem to be plenty of people out there who have had teh same problem, unfotunately unless someone with Platinum support can pose the question to Uncle Bill, I can't spend thousands getting an answer to something that MS will just try to blame on our environment.
 
Hi,

Does anyone have soluion yet?

We have the same problem. From the event viewer, I noticed that an attempt to log on as "administrator" on workstation name: CHARLIE, DOMIAIN: CHARLIE (This tell us that this may be a script running and passing parameters, because you cannot have computername and domainname the same). After attempting logging with "Administrator" account(Event ID 664), the script/process would try to log on by using every account ALPHABETICALLY in EVERY 4 SECONDS until that account get lockedout (Event ID 539)(As indicated on the event viewer)Sorry, I list the time from bottom up.

1/28/03 5:19:07 AM Security Failure Audit Logon/Logoff 539 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Account locked out
User Name: FRANCISC
Domain:
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CLA-00-02
1/27/03 8:37:13 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Unknown user name or bad password
User Name: barbac
Domain: CHARLIE
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CHARLIE
1/27/03 8:32:04 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Unknown user name or bad password
User Name: aroraj
Domain: CHARLIE
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CHARLIE
1/27/03 8:26:28 PM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM OUR_PDC Handle Closed:
Object Server: Security Account Manager
Handle ID: 1490832
Process ID: 2161952096

1/27/03 8:24:23 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: CHARLIE
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CHARLIE
1/27/03 8:24:15 PM Security Success Audit Account Management 644 NT AUTHORITY\SYSTEM OUR_PDC User Account Locked Out:
Target Account Name: adameb
Target Account ID: S-1-5-21-1519847356-556367045-681445708-5532
Caller Machine Name: \\CHARLIE
Caller User Name: SYSTEM
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E7)

1/27/03 8:24:14 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Unknown user name or bad password
User Name: adameb
Domain: CHARLIE
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CHARLIE
1/27/03 8:24:10 PM Security Failure Audit Logon/Logoff 531 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Account currently disabled
User Name: adameb
Domain: CHARLIE
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CHARLIE
1/27/03 8:24:09 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Unknown user name or bad password
User Name: adameb
Domain: CHARLIE
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CHARLIE
1/27/03 8:24:05 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Unknown user name or bad password
User Name: adameb
Domain: CHARLIE
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CHARLIE
1/27/03 8:24:01 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Unknown user name or bad password
User Name: adameb
Domain: CHARLIE
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CHARLIE
1/27/03 8:23:57 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Unknown user name or bad password
User Name: adameb
Domain: CHARLIE
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CHARLIE
1/27/03 8:23:53 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Unknown user name or bad password
User Name: adameb
Domain: CHARLIE
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CHARLIE
1/27/03 8:23:49 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Unknown user name or bad password
User Name: adameb
Domain: CHARLIE
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CHARLIE
1/27/03 8:23:45 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Unknown user name or bad password
User Name: adameb
Domain: CHARLIE
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CHARLIE
1/27/03 8:23:41 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OUR_PDC Logon Failure:
Reason: Unknown user name or bad password
User Name: adameb
Domain: CHARLIE
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\CHARLIE
1/27/03 8:22:56 PM Security Success Audit Account Management 644 NT AUTHORITY\SYSTEM OUR_PDC User Account Locked Out:
Target Account Name: Administrator
Target Account ID: S-1-5-21-1519847356-556367045-681445708-500
Caller Machine Name: \\CHARLIE
Caller User Name: SYSTEM
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E7)

=====we got hit from here===
Please note that we don't have any computer or domain name "CHARLIE"

Any suggestion/hint would be appreciated.

Thanks in advance for any help.

K
 
we have yet to find out what is causing this. Everybody is clueless about it. So far we haven't had it happen in almost 3-4 Weeks. Http:\\"It's the 21st Century I was promised a flying car! Where is my flying car?"
[afro]
 
Has anyone in here got W2k servers in their environment? we experienced this problem at the same time as installing several W2k servers. coincidence??
 
We have no Win2000 servers in our environment. Well, I take that back, all of our servers, the PDC, both BDC's and all production servers are Win NT 4.0 SP6a. We have two computers with Windows2000 server on them as testing platforms on the network, but they do nothing but sit there.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top