All accounts get locked out!

From: Rohan (gt_rohan_at_hotmail.com)
Date: 08/06/03 

Date: Wed, 6 Aug 2003 14:55:56 +0530

Hello,

I have a Windows 2000 network with 3 domain controllers (Advanced Server)
and about 50 Windows 2000 Professional clients.
All the accounts get locked out, strangely, about three times a day. The
frequency of this has increased. The account lockout policies are set to
default only. I have checked the Domain Security Policy as well as the
Default Domain Policy. I don't notice anything out of way.
However, in Event log, I get messages like:
Logon Failure:

Reason: Unknown user name or bad password

User Name: administrador

Domain: BRBROWN

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: BRBROWN

My domain name is GLOBALTECH, and there's no workstation named BRBROWN!!!

I also get some messages like:
Logon Failure:

Reason: Account locked out

User Name: harshal

Domain: ISERVE

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: COMP21

Here, the username is true, even though the domain name and workstation do
not exist!!

The above are Failure Audits.
There are also success audits:
Domain Policy Changed: Password Policy modified

Domain: GLOBALTECH

Domain ID: GLOBALTECH\

Caller User Name: NETFIN$

Caller Domain: GLOBALTECH

Caller Logon ID: (0x0,0x3E7)

Privileges: -

and
Kerberos Policy Changed:

Changed By:

User Name: NETFIN$

Domain Name: GLOBALTECH

Logon ID: (0x0,0x3E7)

Changes made:

('--' means no changes, otherwise each change is shown as:

<ParameterName>: <new value> (<old value>)) 

--
NETFIN is my main domain controller.
I have Microsoft ISA on a domain controller called SERVER3.
IIS isn't running anywhere on a live IP.
Am I getting attacked?? Please help!!
--
Thank you,
Rohan

Relevant Pages

  • Re: Stop Certain user accounts logging onto pc??
    ... just put that account into the "Deny Logon ... Locally" list and enable that policy. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Limit number of Logon attempts
    ... I understand that you want to adjust the logon attempts through Group ... we have an Account Lockout policy ...
    (microsoft.public.windows.server.sbs)
  • Re: you do not have permission to log on locally
    ... I am having the same problem, I can't logon with the local machine account ... I am unable to remove the administrators account from the "deny local log ". ... the efffective policy setting still remains. ... > Use domain policy to override whatever security settings are causing ...
    (microsoft.public.win2000.security)
  • Re: Cant login with new user account
    ... Are you trying to logon to a DC? ... there's a policy there that denies access to logon interactively ... I've created a new account in Active ... > - Group Policy Creator Owners ...
    (microsoft.public.windows.server.active_directory)
  • Re: Protect user accounts
    ... Enable strong passwords in the password policy, ... this helps to protect in that way if some one take over an account the ... users in OU1 to computers in OU2 and the other way around. ... > failed logon attemps. ...
    (microsoft.public.windows.server.active_directory)