Re: Finding Account Lockout Source
From: Miha Pihler (miha.pihler_at_Atlantis-N0Spam.si)
Date: 07/30/03
- Next message: Ross: "Logon Auditing"
- Previous message: gepetto69: "USB restriction ????"
- In reply to: Erik Presnell: "Re: Finding Account Lockout Source"
- Next in thread: Erik Presnell: "Re: Finding Account Lockout Source"
- Reply: Erik Presnell: "Re: Finding Account Lockout Source"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jul 2003 22:18:05 +0200
Have you installed ALockout.dll and Appinit.reg files? Have you looked into
this file:
%Systemroot%\Debug\Alockout.txt?
The content of Alockout.txt file will contain something like this
Wed Jul 30 13:01:12 2003, PID: 380, Thread: 376, Image
C:\WINNT\System32\termsrv.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jul 30 13:01:14 2003, PID: 516, Thread: 500, Image
C:\WINNT\system32\svchost,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jul 30 13:01:15 2003, PID: 544, Thread: 548, Image
C:\WINNT\system32\spoolsv.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jul 30 13:02:03 2003, PID: 864, Thread: 860, Image
C:\WINNT\system32\Dfssvc.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jul 30 13:02:03 2003, PID: 888, Thread: 884, Image
C:\WINNT\System32\svchost.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Details on how to use ALockout.dll tools (and others) are here...
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/BPACTLCK.asp
-- Mike MCSA 2K, MCSE 2K, MCT, ... "Erik Presnell" <presnell@milltec.com> wrote in message news:OFemqEtVDHA.1896@TK2MSFTNGP12.phx.gbl... > I have read several of these similar posts and I'm experiencing the same > problem. I have been able to use the event viewer tool that is in the > altools.exe to trace to what servers people are trying to authenticate from, > but my next question is what do with that information. I'm the domain admin > here and on "server 123" in the event viewer it will have something like: > > > Event Type: Failure Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 529 > Date: 7/30/2003 > Time: 1:58:34 PM > User: NT AUTHORITY\SYSTEM > Computer: "Server 123" > Description: > Logon Failure: > Reason: Unknown user name or bad password > User Name: "my initials" > Domain: concord > Logon Type: 3 > Logon Process: NtLmSsp > Authentication Package: NTLM > Workstation Name: "ABC" > > Now this is what I don't understand; my workstation is "XYZ"; so I go to > "ABC" to see if there was anything going on at 1:58:34. There is nothing > there, there are also no unusual programs. Please help me, I'm just not > seeing the next logical step. Thank you for any help. > > Erik > > > "Miha Pihler" <miha.pihler@Atlantis-N0Spam.si> wrote in message > news:OaJLc7sVDHA.484@TK2MSFTNGP09.phx.gbl... > > Hi, > > > > You can use this tools: > > > http://microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en > > > > -- > > Mike > > MCSA 2K, MCSE 2K, MCT, ... > > > > "PattyMac" <pmacarthur@jenner.com> wrote in message > > news:052901c356cc$14f20bb0$a101280a@phx.gbl... > > > Recently changed a password on an account. Now that > > > account keeps locking out every 10 minutes or so. How can > > > I find out the source of the problem? My guess is there's > > > a machine or service somewhere using that ID, but I don't > > > know where. Can I find the IP or Machine name that's > > > using that ID? > > > > > > Thanks for any feedback. > > > > > >
- Next message: Ross: "Logon Auditing"
- Previous message: gepetto69: "USB restriction ????"
- In reply to: Erik Presnell: "Re: Finding Account Lockout Source"
- Next in thread: Erik Presnell: "Re: Finding Account Lockout Source"
- Reply: Erik Presnell: "Re: Finding Account Lockout Source"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
