I have a user account (windows 2003 native AD) - my account keeps locking out. I have used Account Lockout and Management Tools to find out that there is a machine which is causing the account to lock (see below) Event Type: Success Audit Event Source: Security Event Category: Account Management Event ID: 644 Date: 05/06/2011 Time: 10:30:30 User: NT AUTHORITY\SYSTEM Computer: WIN3KLMDC01 Description: User Account Locked Out: Target Account Name: steel Target Account ID: swnet\steel Caller Machine Name: 11111111 Caller User Name: WIN3KLMDC01$ Caller Domain: SWNET Caller Logon ID: (0x0,0x3E7) In each case the caller machine name is 11111111 which resolves to 0.7.119.58. 11111111 is inaccessible via RDP. When ping'd there is no reply & nobody seems to know what this device is used for. I have nbtstat -an against 11111111 & got nothing back so no mac address to work with. I therefore cannot get onto this server to figure out if a service / scheduled task / drive mapping on this device has been configured with old password credentials. Has anyone see this before? Any suggestions would be appreciated. Thanks.

My guess is, it may be caused by expiration. Attempt to RDP would not show warning, that you need to change password. Disable this user, change expiration to without limits and enable the user. Regards Milos

Thanks for the feedback. This account was prompted to have the password reset last week at which point it was promptly reset. Only after this did the lockouts occur. Our domain security policy will not allow to have any exceptions on expiration unless service accounts etc.

Using numerical digits to create name of computer is not a good idea. If you ping such a name, computer takes it as IP address. It resolves to nonsense. Pinging and resolving are useless tests. My suggestion is: Change the name of computer. OR give more information on the infrastructure to be able to find where the name has been created. OTHERWISE use network monitor and follow packets.

I dont know your environment, but , if you can change user ID this issue will be finish. but better to find the root couse. Since try to find this machine , then check virus guad etc...... brcouse kido(net worm) virus behavior also same http://sbdissanayake.blogspot.com/2011/04/how-to-remove-net-wormwin32kido.htmlMicrosoft TechNet Forum Bandara

Thanks Milos - but I'd change the machine name if I could connect to it - it's not part of our AD. I havn't heard of it before - especially a computer on such a strange IP address. The problem is that I can't get any more info on this rogue machine & can't connect so I can't do anything to it yet.

Hi, According to the following link, this issue can be caused by an attack pattern. You may refer to the following link for how to deal with it. http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=644&EvtSrc=Security&LCID=1033 Regards, Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com . Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

WIN3KLMDC01 is the targetted domain controller? Have you second DC? If you have the second DC, in this case you can connect to the second DC via RDP and change the lockout policy on the WIN3KLMDC01( Yes, if you have specified different port, instead of 3389) . Or you can block RDP on the WIN3KLMDC01 from second DC and change the FW settings for specified IP to be allowed to access the WIN3KLMDC01 via RDP and enable RDP. If the rogue computer is on the local network, then you have MAC addresses of computers and if you have a list of MAC addresses you can identified the rogue computer. Or you can filter this MAC address on the switch. If the rogue computer is outside local network, then you should change the settings on FW (Allow RDP for specified IP address of your computer.) ... otherwise you should do the forensics locally. Regards Milos

Hi, I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help. Regards, Arthur Li Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.