80% of user accounts suddenly locked out

  • Thread starter Thread starter Denny Ko
  • Start date Start date
D

Denny Ko

Hello Gentlemen, has anyone seen this before:

Suddenly, without warning, for 80% of my 200 + users all
suddenly could not access their shares or could not
login. Closer examination showed that their accounts
were locked out in AD. I had no group policies to lock
out people like this...only something which locks them
out after 5 incorrect password attempts. And by the way,
according to time frame, all this happened within seconds.

Has anyone seen this before? Please help.
 
Hey Denny Ko,

This most often happens because of a bot in your network or spamming of
your accounts from the Internet. To help determine what is happeing, you
would want to enable Netlogon logging and perhaps Kerberos logging on your
domain controllers. Each will require a reboot, so I would probably do
both at the same time. After you get the Netlogon.log file, see if you can
open it in Excel and do a Data sort, then look for 0xC....6a and 0xC000234
errors and see the timing. If you are seeing multiple bad password
attempts (0xC...6a) within a second, it is some bot or batch routine trying
something like a dictionary attack, then leading to an account lockout due
to bad password (0xC...234). I would start by looking at the PDC Emulator,
since it is the DC consulted first by other DCs to see if the first DC just
didn't have the updated password. The PDC Emulator will often show
"transitive network logon" which will tell you which DC it got the bad
password from. Then looking at the Netlogon logs from that DC will tell
you what computer on the network or from the Internet it came from.

Then it often becomes about cleaning viruses or limiting ports (if it came
from outside your network). I hope this helps!

Enabling Debug Logging for the Net Logon Service WGID:191
ID: 109626.KB.EN-US

HOW TO: Enable Kerberos Event Logging WGID:325
ID: 262177.KB.EN-US

Jim
 
Back
Top