Re: Account Lockout Question/Problem

From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
Date: Thu, 23 Oct 2008 17:43:49 +0200

google for NETLOGON debugging

that should help in determining where it comes from

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Tom" <Tom@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:C5F02CE9-8E31-4DCA-A62B-1016E1B312C6@xxxxxxxxxxxxxxxx

We have two accounts that randomly get locked out, we have auditing enabled
on our DC so I can see Authentication attempts being made using both
accounts. Our account lockout policy is set to lockout accounts after 7
invalid logon attempts. The problem with diagnosing this is that when I check
the security logs in the DC the “source workstations:” come from various
sources such as \\localhost, \\84.120.100.240 \\FILECAF etc basically it
looks like the logon attempts are spoofing their source address. A couple of
users got spyware two months ago but we removed those systems from the
network. The usual suspects for account lockout problems such as mapped
network drives with invalid passwords and services with incorrect cached
credentials don’t apply here. How can I figure out where exactly these logon
attempts are coming from? Our DS’s are win2003 R2 SP2

References:
- Account Lockout Question/Problem
  - From: Tom

Prev by Date: Re: Are these 529s hacking attempts or some other problem?
Next by Date: RDP & IP security help
Previous by thread: RE: Account Lockout Question/Problem
Next by thread: Where's this logon attempt coming from?
Index(es):
- Date
- Thread

Relevant Pages

Account Lockout Question/Problem
... We have two accounts that randomly get locked out, ... looks like the logon attempts are spoofing their source address. ... The usual suspects for account lockout problems such as mapped ... network drives with invalid passwords and services with incorrect cached ...
(microsoft.public.windows.server.security)
RE: Event ID 537 and Kerberos
... a logon type of 3 translates to Network. ... Click Services tab and select Hide All Microsoft Services and Disable ... Step 4: Configure account lockout policy. ... and then click Account Lockout Policy. ...
(microsoft.public.windows.server.sbs)
Re: Undo Account Lockout Policy GPO
... do the GPUPDATE /FORCE on the DC with the PDC FSMO ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... > Account Lockout threshold - 5 invalid logon attemps ...
(microsoft.public.windows.server.active_directory)
Re: Undo Account Lockout Policy GPO
... objectClass: domainDNS ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... Account Lockout threshold - 5 invalid logon attemps ...
(microsoft.public.windows.server.active_directory)
Re: Last logon time in Active Directory - solution
... Good documentation around this toolkit and account lockout in general is ... > Recently we were trying to find a way to obtain the last logon ... > functionality in the Active Directory Users & Computers MMC to do ...
(microsoft.public.windows.server.active_directory)