All accounts get locked out!

From: Brenda (bdonals_at_martorifarms.com)
Date: 08/08/03 

Date: Thu, 7 Aug 2003 16:39:26 -0700

I am having the same problems. I have to unlock all my
users, and am getting the logon failures as well. This
afternoon, I found a computer on our network with an
actual ip address that was not one of our computers.
Interesting, but scary as well. The minute that I
attempted to ping this computer, they logged off and I was
unable to identify him otherthan with an internal network
address. His computer name was different as we have a set
standard here.

Email me at bdonals@martorifarms.com if you want to
discuss this in further.

>-----Original Message-----
>Hello,
>
>I have a Windows 2000 network with 3 domain controllers
(Advanced Server)
>and about 50 Windows 2000 Professional clients.
>All the accounts get locked out, strangely, about three
times a day. The
>frequency of this has increased. The account lockout
policies are set to
>default only. I have checked the Domain Security Policy
as well as the
>Default Domain Policy. I don't notice anything out of way.
>However, in Event log, I get messages like:
>Logon Failure:
>
>Reason: Unknown user name or bad password
>
>User Name: administrador
>
>Domain: BRBROWN
>
>Logon Type: 3
>
>Logon Process: NtLmSsp
>
>Authentication Package: NTLM
>
>Workstation Name: BRBROWN
>
>My domain name is GLOBALTECH, and there's no workstation
named BRBROWN!!!
>
>I also get some messages like:
>Logon Failure:
>
>Reason: Account locked out
>
>User Name: harshal
>
>Domain: ISERVE
>
>Logon Type: 3
>
>Logon Process: NtLmSsp
>
>Authentication Package: NTLM
>
>Workstation Name: COMP21
>
>Here, the username is true, even though the domain name
and workstation do
>not exist!!
>
>The above are Failure Audits.
>There are also success audits:
>Domain Policy Changed: Password Policy modified
>
>Domain: GLOBALTECH
>
>Domain ID: GLOBALTECH\
>
>Caller User Name: NETFIN$
>
>Caller Domain: GLOBALTECH
>
>Caller Logon ID: (0x0,0x3E7)
>
>Privileges: -
>
>and
>Kerberos Policy Changed:
>
>Changed By:
>
>User Name: NETFIN$
>
>Domain Name: GLOBALTECH
>
>Logon ID: (0x0,0x3E7)
>
>Changes made:
>
>('--' means no changes, otherwise each change is shown as:
>
><ParameterName>: <new value> (<old value>))
>
>--
>
>NETFIN is my main domain controller.
>I have Microsoft ISA on a domain controller called
SERVER3.
>IIS isn't running anywhere on a live IP.
>
>Am I getting attacked?? Please help!!
>
>--
>
>Thank you,
>Rohan
>
>
>
>.
>

Relevant Pages

  • All accounts get locked out!
    ... The account lockout policies are set to ... Default Domain Policy. ... Logon Failure: ... My domain name is GLOBALTECH, and there's no workstation named BRBROWN!!! ...
    (microsoft.public.win2000.security)
  • Re: You are not authorized to view this page
    ... AUTHORITY\SYSTEM BAY18 "Logon Failure: ... Logon Process: Kerberos ... Caller User Name: - ...
    (microsoft.public.inetserver.iis.security)
  • Re: MSExchangeSA errors
    ... Well of course there are logon failures on the exchange server, ... > Please check if there are some Logon Failure auditing events in the ... > in the Local Computer Policy or the Default Domain Policy. ...
    (microsoft.public.exchange.admin)
  • Re: MSExchangeSA errors
    ... Well of course there are logon failures on the exchange server, ... Please check if there are some Logon Failure auditing events in the ... The user has not been granted the requested logon type at this ...
    (microsoft.public.exchange.admin)
  • Re: event IDs 681, 529 and error code 3221225572
    ... context of the log) and say "That's a hacker". ... When examining logon failures, go to the workstation that is generating ... > the "Account Logon" ... > I receive dozens logon failure audits per day about logon ...
    (microsoft.public.win2000.security)