Local Accounts getting locked out

  • Thread starter Thread starter David H
  • Start date Start date
D

David H

Having a weird issue pop up every now and then. Something
is happening and causing all the local accounts on my
servers to get locked out. All the local accounts on the
box, administator, IUSR_, guest, and any others on the
box.
It seems to happen randomly, I won't see it for a month or
so and then suddenly I will get 3 or 4 servers all locked
out. I have seen it happen on both NT4 and Win2k servers.

Is there some known bug that might cause this? Or is this
the work of a virus? I have tried scans on several
occasions, but never found any, even with the latest virus
defenitions.

Anybody have any ideas?
 
Check that password expiration properties on those accounts since it all seems to
happen at once and at somewhat regular intervals . If no one actually logs onto the
console interactively to see an expiration message and those accounts are being
accessed for legitimate reasons then possibly they are being locked out. I question
though that the guest account is locked out in as are you using it and realize the
security risk of having it enabled? Also "the" administrator account can not be
locked out ever to interactive logon and only to network logon if passprop is enabled
on that computer. A trojan/worm could do something similar but they usually target
the administrator account. Another possibility is scanning the network with software
that will try to detect security weaknesses - either legitimate or not. MBSA for
instance will try to do a quick evaluation on an account's password security using
such things as blank, username, machine name. Of course lack of a properly configured
firewall can explain account lockouts, though I think that would be more of an
ongoing problem - but always worth checking out. Enabling auditing of logon events on
those computers for success and failure, and then reviewing the security log in Event
Viewer would also be very informative telling you when the failed logons occurred and
what machine the logon attempts came from. Be sure to substantailly increase the size
of the security log from default. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;300549
http://support.microsoft.com/default.aspx?scid=KB;en-us;q300958
http://is-it-true.org/nt/atips/atips155.shtml
 
Back
Top