The first thing you need to do is find out if the bad
passwords are coming from the users normal machine or from somewhere else. I
posted previously with info on how to do that, here is that post
again:
You need to enable
Audit Account Logon Events -
Failures
Audit Logon Events -
Failurs
Then dig through your logs looking for 681,
529, 675
@echo
off
echo
%computername%
echo.
set
file=%computername%.csv
if not %2*==* set
file=%2
@echo Writing file -
%file%
dumpel -l security -m
security -e 681 529 675 -d %1 -c -format dtTCIus -f %file%
Now parse through those entries looking for
logon failures. You should see some sort of failures, a quick and dirty perl
script I have to tear through is below. Your mileage may vary but has helped us
track every lockout down to a machine so far... It does its job and it is a job
we don't have to do very often anymore so I haven't looked and cleaning up the
code or making it nice or tight or anything else.
If you look on the PDC and it points at
another DC that generally means it is a pdc-chain so you need to dump the logs
on that DC and scan them as well.
I usually run this script like
Getinfo domaincontroller.csv | findstr /I
"userid"
foreach
(<>)
{
chomp;
s/\\//g;
@a=split/,/;
$date=$a[0];
$time=$a[1];
$code=$a[4];
$idfield=$a[7];
$user="****";
$domain="****";
$workstation="****";
$error="****";
if ($code eq
681)
{
if
($idfield=~/MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\s+([`=\$\w\.-]+?)\s+([`=\$\w\.-]+?)\s+(\d+)/i)
{
$domain="local";
$user=$1;
$workstation=$2;
$error=$3;
}
else
{
print "\aNOMATCH:
$_\n";
next;
}
}
elsif ($code eq
675)
{
if
($idfield=~/([`=\$\w\.-]+?)\s+.+?krbtgt\/(\S+).+\s+([0-9.]+)/i)
{
$domain=$2;
$user=$1;
$workstation=$3;
$error="---";
}
else
{
print "****
$idfield\n";
}
}
elsif ($code eq
529)
{
if
($idfield=~/([`=\$\w\.-]+?)\s+([`=\$\w\.-]+?)\s+3(NtlmSsp|Advapi)\s+.+\s+([`=\$\w\.-]+)/i)
{
$domain=$2;
$user=$1;
$workstation=$4;
$error=$3;
}
elsif
($idfield=~/([`=\$\w\.-]+?)\s+3(NtlmSsp|Advapi).+\s+([`=\$\w\.-]+)/i)
{
$domain="local";
$user=$1;
$workstation=$3;
$error=$2;
}
elsif
($idfield=~/([`=\$\w\.-]+?)\s+([`=\$\w\.-]+?)\s+2
User32.+\s+([`=\$\w\.-]+)/i)
{
$domain=$2;
$user=$1;
$workstation=$3;
$error="User32";
}
else
{
print "\aNOMATCH:
$idfield\n";
#
<STDIN>;
next;
}
}
else {print
"[$_]\n";};
print
"$date;$time;$code;$error;$domain\\$user;$workstation\n";
}
If you do this on the PDC, you will
sometimes see other DCs generating the bad password hits, this is usually due to
PDC Chaining requests. When you see that, do the same process on the DC that is
in the list of bad attempts and you *should* get the real machine(s) in the list
then.
If you find multiple machines, that is
your issue, go to the multiple machines and log the user off. If you are still
getting more hits, find out what machines again. At that point if you are down
to one machine it is probably one of the following:
1. Service running as the user (use
svcutil with viewx option to quickly view user contexts running services from
the command line)
2. COM Objects running as a specific
user
3. Net work
drives
4. PDC Syncing
software
5. Some other software that doesn't work
properly with local userid and instead requires itself to cache the users
password.
joe
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Friday, April 02, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Vice pres Account Lockout ?
HELP.....
I'm having a serious Account lockout problem!!
The VP of my company's account gets locked out every time he changes his
password.
This time I had him log off all terminal Server sessions, he rebooted his
system, and still his account gets locked out. Also (the kicker) his
account has the "password never expires" set to never expire.
I've used the account lockout tool, and also ran a search on LDAP to look
for multiple entry's of his account, still no clues...
Could it be a policy running somewhere that I'm missing?
I've also set the account lockout policy settings to 50 invalid login
attempt and I've disabling this policy before, still nothing seems to work.
We're running a native 2000 single site
domain with 2 domain controllers.
ANY help is greatly appreciated..
Thanks in advance.
Mike
