Large amount of Users getting locked out of their accounts

[Guest]

Since this past Monday (8-13-07) A lot of my users were getting locked out
for no reason, multiple times a day. I should say not by their doings. I
don't know if I need to look for a hacker..a script or what ever could cause
this...It lasted for 4 days before it suddenly stopped...But I want to find
the culprit before it starts again.

 

[S. Pidgorny]

Obviously there's a reason and it may as well be a denial of service
atempt or malfunctioning script. Use eventcombmt to search security logs for
event 644 and see if all of those are resulted from activities on the same
client system.

 

[Paul Bergson [MVP-DS]]

Are the accounts logged into more than one machine or is it running a
service on the same machine? A user could have mapped drives to a resource
from one machine, on a different machine he changes his password and then
the first machine attempts to stay mapped to a drive and the password is no
longer correct and eventually locks the user out. Or after a password is
changed a service is running that attempts to authenticate with an old
password.

To help try and track down where the account is getting locked out use
eventcomboMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the created
text files for the user in question.

http://www.microsoft.com/downloads/...familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e



--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.