Mysterious Random Account Lockouts

  • Thread starter Thread starter Roy M
  • Start date Start date
R

Roy M

We are a Windows 2000 AD shop with about 1500 users. Back
in July we started experiencing random account lockouts
even on the custom Admin account that I use. It started
with all 1500+ of my users getting locked out, then it
was just about 30-40 per night. After examining our
firewall and closing some unneccessary ports, the
problems stopped. Scanned for viruses, none found.

Well last night (sept 17) it started up again with a
handful of users. And has happened once so far
throughout the course of the day.

The netlogon.log files shows logon attempts coming from
computers with weird computer names that I know aren't on
my network like \\TRAVELMATE and \\STACY7


I've got SP4 and all other latest fixes installed. Had
SP3 back in July.

Has anybody had this problem?? HELP!!!!!
 
Hi Roy. I would double check that no one has changed any configuration of your
firewall or somehow bypassed it. If possible, scan it yourself from the outside.
Foundstone has a new edition of Superscan that is pretty good. For a real basic
check go to http://scan.sygatetech.com/ . There is always the possibility that
someone has hooked up an unauthorized computer on your network, possibly
infected - especially with a name like "travelmate" and do you have any
employees named Stacy? Look in your wins, dns, dhcp leases to see in any of
those names show up which would definitely indicate an unauthorized computer.
Check your firewall logs to see if anyhting usefull shows up there.--- Steve
 
You may have users tapping into your network with there personal laptops and
possibly hacking your firewall to allow them access out of the network or
possibly into the network itself..

Suspect a new employee who started about the time the problem occurred or
even a terminated employee.

Make a group wide announcement no personal pc network logins allowed, other
than company networked client pc's. if a none networked pc must acess the
network the client must submit a request for service to MIS and if approved,
bring the pc to support operations for setup.

Did your logs show an IP of origin from stacy7 and others ?
 
Back
Top