Re: Finding Account Lockout Source

  • Thread starter Thread starter Miha Pihler
  • Start date Start date
I have read several of these similar posts and I'm experiencing the same
problem. I have been able to use the event viewer tool that is in the
altools.exe to trace to what servers people are trying to authenticate from,
but my next question is what do with that information. I'm the domain admin
here and on "server 123" in the event viewer it will have something like:


Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/30/2003
Time: 1:58:34 PM
User: NT AUTHORITY\SYSTEM
Computer: "Server 123"
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: "my initials"
Domain: concord
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: "ABC"

Now this is what I don't understand; my workstation is "XYZ"; so I go to
"ABC" to see if there was anything going on at 1:58:34. There is nothing
there, there are also no unusual programs. Please help me, I'm just not
seeing the next logical step. Thank you for any help.

Erik
 
Have you installed ALockout.dll and Appinit.reg files? Have you looked into
this file:
%Systemroot%\Debug\Alockout.txt?

The content of Alockout.txt file will contain something like this
Wed Jul 30 13:01:12 2003, PID: 380, Thread: 376, Image
C:\WINNT\System32\termsrv.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jul 30 13:01:14 2003, PID: 516, Thread: 500, Image
C:\WINNT\system32\svchost,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jul 30 13:01:15 2003, PID: 544, Thread: 548, Image
C:\WINNT\system32\spoolsv.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jul 30 13:02:03 2003, PID: 864, Thread: 860, Image
C:\WINNT\system32\Dfssvc.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jul 30 13:02:03 2003, PID: 888, Thread: 884, Image
C:\WINNT\System32\svchost.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH


Details on how to use ALockout.dll tools (and others) are here...
http://www.microsoft.com/technet/tr...ndowsserver2003/maintain/operate/BPACTLCK.asp
 
Hi Erik,

it is hard to tell what and how to look for specially if you don't know if
your firewall is doing it's job.

In this case you could use IDS to see what is going on. Other option is to
run "netstat -an" from command line and see who has established connection.
You could also give Network Monitor a try...
 
Back
Top