Mark Renoden said:Hi Diane
There's some guidance at:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
You can get the tools from:
http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
I'd typically use Lockoutstatus.exe to examine which DC(s) are getting hit
with bad password attempts for the account and then enable auditing and
examine the logs on those DC's. If the bad password attempts are
occurring quite frequently or on a regular interval, you're probably
looking for a process. You can use the audit logs to find which client(s)
the bad attempts are coming from and then implement alockout.dll to find
the offending process.
If the bad password attempts are not extremely frequent or not at a
regular interval, it's probably just a user typing the wrong thing in.
Time to find who that is and talk it over with them
You might want to review your policy also and align it with a
recommendation from the paper above.
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no
rights.
Diane Walker said:
Andrei Ungureanu said:
Mark Renoden said:Hi Diane
There's some guidance at:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
You can get the tools from:
http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
I'd typically use Lockoutstatus.exe to examine which DC(s) are getting hit
with bad password attempts for the account and then enable auditing and
examine the logs on those DC's. If the bad password attempts are
occurring quite frequently or on a regular interval, you're probably
looking for a process. You can use the audit logs to find which client(s)
the bad attempts are coming from and then implement alockout.dll to find
the offending process.
If the bad password attempts are not extremely frequent or not at a
regular interval, it's probably just a user typing the wrong thing in.
Time to find who that is and talk it over with them
You might want to review your policy also and align it with a
recommendation from the paper above.
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no
rights.
Diane Walker said:
Ryan Hanisco said:Diane,
It should also be mentioned that frequent password lockouts can be the
signature of a virus or an intrusion.
These are usually not so careful and can rapidly go through a domain
locking out dozens or hundreds of accounts if you have not sufficiently
locked down your controllers.
I don't want to alarm you, but do be wary of that. Check you Antivirus in
the background while you are looking for a service account with an
unchanged password.
--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services
Mark Renoden said:Hi Diane
There's some guidance at:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
You can get the tools from:
http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
I'd typically use Lockoutstatus.exe to examine which DC(s) are getting
hit with bad password attempts for the account and then enable auditing
and examine the logs on those DC's. If the bad password attempts are
occurring quite frequently or on a regular interval, you're probably
looking for a process. You can use the audit logs to find which
client(s) the bad attempts are coming from and then implement
alockout.dll to find the offending process.
If the bad password attempts are not extremely frequent or not at a
regular interval, it's probably just a user typing the wrong thing in.
Time to find who that is and talk it over with them
You might want to review your policy also and align it with a
recommendation from the paper above.
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no
rights.
Diane Walker said: