User accounts are being locked out

Discussion in 'Windows Server' started by Ira Schmidt, Oct 22, 2004.

  1. Ira Schmidt

    Ira Schmidt Guest

    User accounts are being locked out randomly in an NT domain. It appears that
    they are being locked out from computer names that do not exist on the
    domain. The computer name changes randomly and has used names like \\palnet
    or \\acs and the names change every few days. Is there a way to find out
    where these logon attempts are coming from? I have checked Wins manager and
    dhcp manager without finding the computer names. I suspect a trojan is
    installed on one of the computers in the domain. I am migrating users to
    Acitve Directory and those accounts are not effected.
     
    Ira Schmidt, Oct 22, 2004
    #1
    1. Advertisements

  2. Ira Schmidt

    Todd J Heron Guest

    The computer name changing randomly looks like it is due to computers
    dropping in and out of the browse list. Could be laptop users. You might
    want to be concerned with who these laptop users are. Travelling Sales
    force? Telecommuters? Students? Think about that for a little it then
    review my "cookbook" recipe for determining the source of the lockout
    problem on multiple accounts.

    Lockouts are common when there are replication problems between the PDC and
    BDCs. Open Server Manager > highlight the PDC > click on Computer >
    Synchronize the entire domain > check the system log of the Event Viewer on
    all DCs to determine whether synchronization was successful.

    Password Policy and Account Lockout Policy are both domain-wide policies, so
    if only a small number of users are affected, it's unlikely that the policy
    itself is the problem. (For a single user, continous lock-out situation, I
    always suggest that they find all workstations they have logged into
    recently and close Outlook, because it caches the password of the logged in
    account, and if it changes, then the old credentials will be denied and
    cause a domain controller to lock the account out based on bad password
    attempts). Look for a scheduled task or service running using the old
    password. It's also possible that some application or mapped drive is
    caching the old password. This can especially be a problem if users are
    logged into multiple machines. Here's an example scenario: User1 logs into
    machineA and machineB. User1 changes his password on machineA, but fails to
    logout of machineB. MachineB's antivirus software wakes up and attempts to
    download updated signature files located on a network share. MachineB's
    antivirus process cannot connect to the network share since User1's
    credentials on MachineB are now invalid, but continues to attempt to the
    network resource 3 times before giving up, which inadvertently locks out
    User1's account from MachineB. This scenario would be avoided simply by
    logging out of machineB and logging back into machineB once User1 updates
    his password from MachineA. Without knowing your current policy settings
    are, you may want to consider changing them, at least temporarily while
    troubleshooting. For example, increase the number of bad password logon
    attempts to 10 in 30 minutes, and unlock at 30 minutes. And check in all
    event logs on the DC's for any clues, and get the exact error message when
    this happens. If you decide to open an incident for this, this info will
    help the engineer assist you. Also, all Windows 2000 servers and
    workstations should be on Service Pack 3, if not already, because there were
    a number of fixes included in SP3 for lockout issues.

    1) Get all NT 4.0 DC's out of environment as soon as possible if it is a
    mixed environment
    2) Make sure all Win2k DC's have latest service pack (since many account
    lockout issues areresolved in SP2 , SP3)
    3) Validate the account lockout policy settings on the Win2k domain
    4) Is Web Sense installed anywhere on the network? Web Sense sends a logon
    prompt when accessing the web. An option is available to save password for
    this dialog and this is known to cause lock-out issues.
    5) See: HOW TO: Prevent Network Share Shortcuts from Being Added to My
    Network Places http://support.microsoft.com/?id=242578
    6) Check for persistent drive mappings using saved account\password.
    Increased Account Lockout Frequency in Windows 2000 Domain:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;264678
    7) Click here for a Account Lockout Status tool which will show the lockout
    status across a domain for a particular user:

    L:\Utils\acctlockouttool.zip

    Reference:
    Verifying Domain Netlogon Synchronization
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q149664

    Account Lockouts and 5711 Events on the PDC
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q191828

    Using the Checked Netlogon.dll to Track Account Lockouts
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q189541
     
    Todd J Heron, Oct 22, 2004
    #2
    1. Advertisements

  3. Ira Schmidt

    Ira Schmidt Guest

    The problem has been going on for the last two and half weeks and has even
    happened during the middle of the night when there is no one on the network.
    There are about 95 PCs in the network and we have physically disconnected all
    network ports that are not in use, and any one who brings in a laptop has to
    contact the IT dept. to get a live connection. We suspected a couple of
    vendor PCs, but shut those down and the problem still persisted. The lockouts
    will occur randomly for several hours and stop for as much as 36 hours. I am
    suspecting that a PC somewhere has a trojan that is attempting to log on to
    the accounts in order to find a weak password. The lockouts usually occur
    with a group of user accounts that are listed alphabetically in User manager.
    I have the password policy set to allow seven password attempts before
    locking the account. All of our Win2k servers are at SP 4 and the domain
    controllers for the NT domain have the security patches that are as recent as
    last week. Some of the accounts that are being locked out are owners of
    mailboxes that are used internally in the company to store email messages
    related to business partners and are never used to actually log on to the
    network.
     
    Ira Schmidt, Oct 22, 2004
    #3
  4. Ira Schmidt

    Glenn L Guest

    This is totally a virus attempting to guess passwords.
    You need to identify these machines and remove them from the network and
    clean them.
    Finding them isn't always easy.
    Some spoof the machine name. Some even spoof the IP address.
    I think your best bet is to get network monitor (or your favorite flavor of
    packet capture software)on your domain controllers.
    Set up a rather large buffer (enough for 12 hours) and start capturing
    packets.
    The buffer wraps FIFO, so you should not need to worry about missing the
    event.
    Then when you see a string of events in your event log, you can correlate
    those events in the network trace.
    Now youve got the IP address. If your lucky the malicious code is not
    clever enough for IP spoofing.
    This is really the only way to find the offender that I know of.
     
    Glenn L, Oct 23, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.