Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Someone it having a go 1

Status
Not open for further replies.
Gareth1978

Gareth1978

IS-IT--Management
Apr 19, 2002
218
0
0
GB
Someone somewhere on site is trying to guess our administrator account password - is there any way I can find out which machine or even the IP address is doing this ?? I have a little utility that shows me locked out accounts and the admin account is being locked out about 3 times a day and it's not 'us' (there are only 2 admins on site who know the password as we haven't locked it out) does NT tracking log it somewhere or is there something (free would be nice) that I can download to track this.

Thanks all in anticipation.

Gareth
 
Sort by date Sort by votes
Is the security log turned on in the event viewer?
 
Upvote 0 Downvote
The event in the security log will typically give you the name of the host that the connection was made from.

Start Menu -> Administrator Tools -> Event Log -> Security

Filter by failures only.

ShackDaddy
 
Upvote 0 Downvote
Thanks for that, the security logging is turned on and I've filtered by failures but the only events are either (bizzarly) either by my user account or by the system, and can't make much useful out of what's there !
 
Upvote 0 Downvote
You need to check the event log on your domain controller. Is that the log you were checking?
 
Upvote 0 Downvote
Sorry, I am being thick well sort of..... Yes I was checking the security event log on the PDC and I thought I had filtered it to failures only but I obviously haven't I have now and it is empty ! Worth me looking back in there the next time I see that the account is locked out ?
 
Upvote 0 Downvote
Yes, and I'd make sure the log settings are set so that you can collect plenty of data. Change the size to 2048 k or more. If you are running an active domain, that log will fill fast, and if you are allowing events to be 'overwritten as needed' it's easy to have nothing but the last few hours on hand.

Unfortunately you can't search by username without exporting the log to another type of file and then doing search from there.

ShackDaddy
 
Upvote 0 Downvote
Thank you ShackDaddy - I will increase the size available for that log and watch carefully... thank you
 
Upvote 0 Downvote
Are you running something as a service under the Administrator's login? If so, have you changed the Administrator's password recently?
 
Upvote 0 Downvote
Excellent response ANormal. A service installed to use the admin account would definitely display these symptoms, especially if it's a seldom used service. Backup Exec was one of those that administrator could be assigned to start. Looks like a failed attempt to run a service would show up in the logs too, though.
 
Upvote 0 Downvote
Or this can accur if you or a colleague logged in to a machine as Administrator and forgot to log out. If the password is changed with Administrator still logged in it will lock the account out every day and drive you mad!!

Are you running the latest Service Pack for NT? Earlier versions did not log bad password attempts to the Domain Controller, just to the offending PC. (See Q182918)
 
Upvote 0 Downvote
We are running service pack 6 on NT and haven't changed the password recently, I did think along the lines of a service myself but they all seem o.k.
 
Upvote 0 Downvote
not directly related to the problem, but it's good administritive practice to change the administrator account to nothing more than a guest account and use a previously created account with administrator priviliges instead. usually the first account people try to hack is administrator. if you are really concerned by this problem you could install some 'snooper' program on all the workstations which give you detailed accounts of exactly what the users and machines did. see for an example. there are other freeware versions too. another thing to think about is implementing a good password policy. there is lots of information on the net concerning this. it won't help you if at the end of the day you find out it was user joebloggs who's password is joebloggs which he never changed since the beginning.
 
Upvote 0 Downvote
I had a similar problem with my user account. Because I manage four different Domains I didn’t join any of them. I found that my account was being disabled every day … by my laptop. It turns out that it was Norton AntiVirus Live update trying to do its thing.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

juniper911
  • Locked
  • Question
Smartcard PIN Cache - is it configurable?
Replies
0
Views
54
juniper911
juniper911
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
144
DrB0b
DrB0b
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
138
gbaughma
gbaughma
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
92
DTGMI
DTGMI
maybeimaleo
  • Locked
  • Question
Is There a Best Windows OS to Upgrade a CA Server to?
Replies
5
Views
88
maybeimaleo
maybeimaleo

Part and Inventory Search

Sponsor

Back
Top