Announcement

Collapse
No announcement yet.

Locked out users

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Locked out users

    Hello to everybody.
    I am having a problem with active directory 2008 domain server.
    Everyday happens that different users domain locked out by them self, i cant understand why??
    Is because a possible virus in one of those pc on network??

  • #2
    Re: Locked out users

    I would start by looking for Cached passwords
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Locked out users

      Hi,

      Refer to the article:

      http://support.microsoft.com/kb/947226

      here your event id is:4740

      Thank you
      Anil

      Comment


      • #4
        Re: Locked out users

        Originally posted by Anila View Post
        Hello to everybody.
        I am having a problem with active directory 2008 domain server.
        Everyday happens that different users domain locked out by them self, i cant understand why??
        Is because a possible virus in one of those pc on network??
        It could be a virus. For instance the Conficker virus uses the logged on user token to copy itself accross the network.
        Has your AV reported anything?
        What exactly are the events logged in DC?
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Locked out users

          Originally posted by Anila View Post
          Hello to everybody.
          I am having a problem with active directory 2008 domain server.
          Everyday happens that different users domain locked out by them self, i cant understand why??
          Is because a possible virus in one of those pc on network??
          Yes, its possible... and thats the best answer anyone will be able to give you till you give us alittle more infomation.

          Is it only users who log on that are disabled (Does it effect Service accounts) If so, could be a Virus on a local PC, could also be a key logger, User Error, Brute Force hacking attempt, a User playing jokes on his colleges.....

          Does it happen at a Set time, Then it could be a set of scripts that are set to run that breakes it.

          Does it happen to set users on a rotation (like every month), then it could be the users Smart phone after the user has changed there password (Biggest Pet hate about smart phones).

          Does it Happen to Service Accounts, Admin accounts, and does it happen all time (Ie, you will see millions of entries per second in your Security Logs on your DC), you have been Hacked!

          Given the infomation you have given, all of the above is possible.

          To find the infomation that we need, look though your Secruity logs on your Domain Controller (or the Users Local comptuer) and look for failed log on attempts.
          After that it really depends on what type of lock out is happening to where you look next.

          Thanks,
          Wofen
          Good to be back....

          Comment


          • #6
            Re: Locked out users

            I recommend downloading an account lockout examination tool (netwrix account lockout examiner or ManageEngine ADSelfService Plus). I had a similar problem and downloaded the free evaluation of netwrix account lockout examiner—the issue was a mapped network drive. You can just download the trial to get an answer and hopefully you won’t need it by the end of the 30-day evaluation.

            Comment


            • #7
              Re: Locked out users

              I would also put $$$ on the conficker infection.

              I had my network infected maybe a year ago, I used the free symantec removal tool (google for it) to clean up the network, lots of manual labor unfortunately

              Comment

              Working...
              X