Re: Finding Account Lockout Source

From: Erik Presnell (presnell_at_milltec.com)
Date: 07/30/03 

Date: Wed, 30 Jul 2003 16:53:40 -0500

Hello Mike,

I was able to get some information from those logs I just have to interpret
what they are saying. Now my next question/problem is: What happens when
the computer names are not within your domain? Does that mean that someone
is getting through the firewall or could it be a program emulating those
computer names? I called our firewall software provider and they checked
out our settings and said we should be fine....key word being should. Is
there anything I can check for? Thanks again for your help.

"Miha Pihler" <miha.pihler@Atlantis-N0Spam.si> wrote in message
news:OgOwzetVDHA.2224@TK2MSFTNGP10.phx.gbl...
> Have you installed ALockout.dll and Appinit.reg files? Have you looked
into
> this file:
> %Systemroot%\Debug\Alockout.txt?
>
> The content of Alockout.txt file will contain something like this
> Wed Jul 30 13:01:12 2003, PID: 380, Thread: 376, Image
> C:\WINNT\System32\termsrv.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> Wed Jul 30 13:01:14 2003, PID: 516, Thread: 500, Image
> C:\WINNT\system32\svchost,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> Wed Jul 30 13:01:15 2003, PID: 544, Thread: 548, Image
> C:\WINNT\system32\spoolsv.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> Wed Jul 30 13:02:03 2003, PID: 864, Thread: 860, Image
> C:\WINNT\system32\Dfssvc.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> Wed Jul 30 13:02:03 2003, PID: 888, Thread: 884, Image
> C:\WINNT\System32\svchost.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
>
>
> Details on how to use ALockout.dll tools (and others) are here...
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/BPACTLCK.asp
>
> --
> Mike
> MCSA 2K, MCSE 2K, MCT, ...
>
>
> "Erik Presnell" <presnell@milltec.com> wrote in message
> news:OFemqEtVDHA.1896@TK2MSFTNGP12.phx.gbl...
> > I have read several of these similar posts and I'm experiencing the same
> > problem. I have been able to use the event viewer tool that is in the
> > altools.exe to trace to what servers people are trying to authenticate
> from,
> > but my next question is what do with that information. I'm the domain
> admin
> > here and on "server 123" in the event viewer it will have something
like:
> >
> >
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 529
> > Date: 7/30/2003
> > Time: 1:58:34 PM
> > User: NT AUTHORITY\SYSTEM
> > Computer: "Server 123"
> > Description:
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: "my initials"
> > Domain: concord
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: "ABC"
> >
> > Now this is what I don't understand; my workstation is "XYZ"; so I go to
> > "ABC" to see if there was anything going on at 1:58:34. There is
nothing
> > there, there are also no unusual programs. Please help me, I'm just not
> > seeing the next logical step. Thank you for any help.
> >
> > Erik
> >
> >
> > "Miha Pihler" <miha.pihler@Atlantis-N0Spam.si> wrote in message
> > news:OaJLc7sVDHA.484@TK2MSFTNGP09.phx.gbl...
> > > Hi,
> > >
> > > You can use this tools:
> > >
> >
>
http://microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
> > >
> > > --
> > > Mike
> > > MCSA 2K, MCSE 2K, MCT, ...
> > >
> > > "PattyMac" <pmacarthur@jenner.com> wrote in message
> > > news:052901c356cc$14f20bb0$a101280a@phx.gbl...
> > > > Recently changed a password on an account. Now that
> > > > account keeps locking out every 10 minutes or so. How can
> > > > I find out the source of the problem? My guess is there's
> > > > a machine or service somewhere using that ID, but I don't
> > > > know where. Can I find the IP or Machine name that's
> > > > using that ID?
> > > >
> > > > Thanks for any feedback.
> > >
> > >
> >
> >
>
>