user accounts gets locked out
since changing passwords for the client users i have noticed tht some of my users gets locked out i unlock them in server(windows server 2003) i untick the place written "account is locked out" but after some time it ticks itself i checked all policies are
fyn but i still get this problem of itself ticking account is locked out.
i need assistance on this so guys please helppppppppp
July 26th, 2011 9:23am
This might be due to conficker virus on the network
http://support.microsoft.com/kb/962007
http://blogs.technet.com/b/rhalbheer/archive/2009/01/13/additional-information-on-conficker-msrt-removing-conficker.aspx
in addtion to it you may also use account lockout tools to know the exact reasom
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465http://www.virmansec.com/blogs/skhairuddin
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2011 9:44am
since changing passwords for the client users i have noticed tht some of my users gets locked out i unlock them in server(windows server 2003) i untick the place written "account is locked out" but after some time it ticks itself i checked all policies are
fyn but i still get this problem of itself ticking account is locked out.
i need assistance on this so guys please helppppppppp
the issue is most possibly caused by either a worm (see the other message from Rameez) or due to someone/something (e.g. a "bot" or "worm") trying to "bruteforce" such accounts
To solve the issue you'll need to ensure that your network isn't exposing "unneeded" ports to the internet (for example the RDP port or the FTP one), to check your eventlog and track "logon failed" events, to see where they are coming from and also to ensure
you're using a good password policy so that it will still be difficult for an attacker to "guess" one of your accounts passwords
Notice that, in case the "bruteforce" comes from RDP connection attempts a quick and easy way to avoid such a kind of automated attacks is to change the RDP port from 3389 to a different one as described in the articles you'll find below; such a thing will
NOT add security, but will at least help you avoiding automated attacks coming from bots/worms and targeting the standard RDP port (3389/tcp); the idea is the following: add the new listening port (e.g. 18951), check that it works by opening up the firewall
for such a port (and creating a forwarding rule if needed) and trying to connect to the port using the regular RDP client; once you'll know it works, just disable the standard rule related to port 3389 and leave the alternate-port rule in place, from that
moment on, to connect to your box using RDP you'll just need to use the alternate port you defined
How to change/add an RDP port
http://support.microsoft.com/kb/306759
http://support.microsoft.com/kb/187623
http://www.petri.co.il/add_a_new_rdp_listening_port_to_terminal_server.htm
as for the presence of worms/bots/malware on your own network, I think you should ensure that all your systems are up to date with the latest Microsoft updates/servicepacks/hotfixes, also ensure to run the
Microsoft Malware Removal tool and check that all your systems are running an antivirus and that it's updated; in a desperate case, you may want to pick
this tool, install it on a system which you'll connect to a "monitor port" (so that it will be able to see all the traffic) and then check the logs/alerts to see if there's any kind of bot/malware
running on your network and possibly identify the hosts and clean them up; for such a task, you may use
this cleanup tool from Microsoft which will allow to boot the system from a boot-cd and perform a full scan/clean
Notice that, having malware running on your network will not only cause YOU issues, but will also cause issues to other people, so, to protect yourself and the others, ensure to keep your network (and hosts) clean and to constantly monitor its health status
Forgot (sorry) if you don't have a "grip" on the network you are administering, I suggest you to spend some time gathering as much informations as possible and trying to "map" it to exactly understand "how it is connected" and to "who"; a simple tool which
may help you in such a task is
this one, just run it from whatever box (as long as the box you'll pick is able to "see" the whole network) and you'll then be able to quickly gather some infos on your network topology, infos which may then allow you to further investigate
July 26th, 2011 10:08am
Hi,
Please check whether there is a persistent network connection with an invalid password, if there is a service using a user account with an invalid password. To effectively
troubleshoot account lockout issue, please refer to the following support article:
Maintaining and Monitoring Account Lockout
http://technet.microsoft.com/en-us/library/cc776964(WS.10).aspx
For your information, after you set the auditing and logging, wait until account lockouts occur. When the account lockout occurs, retrieve both the Security event
log and the System event log, as well as the Netlogon logs for all of the computers that are involved with the client's lockout. This includes the PDC emulator operations master, the authenticating domain controller, and the client computers that have user
sessions for the locked-out user.
If any trouble is encountered, please let us know. If any error is showed, you can paste the log here for research.
Thanks.
NinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2011 4:35am
Hi,
In addition, this can be due to a network drive trying to map with bad credentials.
Cheers,http://blog.simaju.fr - Partage de connaissances et retour d'expriences.
July 29th, 2011 4:43am
Check logs in event viewer on your DCs. You will get the source computer. Once identified, go to the computer and check if there is applications / services running using these accounts with wrong passwords.
Also, have a look to Paul's article: http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft Certified
Professional
Microsoft Certified
Systems Administrator: Security
Microsoft Certified
Systems Engineer: Security
Microsoft Certified
Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified
Technology Specialist: Windows 7, Configuring
Microsoft Certified
IT Professional: Enterprise Administrator
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2011 7:14am