Re: [ActiveDir] Phantom Account Locks

Tue, 28 Feb 2006 09:59:14 -0800 

Windows Security Log Encyclopedia by Randy Franklin Smith:
http://www.ultimatewindowssecurity.com/encyclopedia.html

Logon Type Codes Revealed:
http://www.windowsecurity.com/articles/Logon-Types.html
SBS has a pretty lenient group policy lockout set up by the SBS box group policy ...you have to hit 50 invalid logon attempt for an account to lockout.
Kick on the security logs on that workstation/and review the system logs on there. 

There's not a leftover windows password is there?
Also review your firewall log files (it appears though that those are firing from the workstation)
After the application of SP1, one of my workstations with an HP laserjet monitoring software threw off tons of Kerb errors only on the DC, but I didn't get an account lockout like this. 

AdamT wrote:


On 2/28/06, Susan Bradley <[EMAIL PROTECTED]> wrote:

What's the security log say up on the server?


The security log has several of these:

Event ID 529
Source: Security
Category: Logon/Logoff
Type: Failure
User: NT AUTHORITY\SYSTEM
Computer: SBS-DC

Reason: Unknown user name or bad password
Username: j.bloggs
Domain: PC004
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PC004

And some of these:

Event ID: 681
Source: Security
Category: Account Logon
Type: Failure
User: NT AUTHORITY\SYSTEM
Computer: SBS-DC
The logon to account j.bloggs by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: PC004 failed. The error code was: 3221225578 

(I looked that up, and the error code apparently means 'wrong password')

And some of these:

Event ID: 539
Source: Security
Category: Logon/Logoff
Type: Failure
User: NT AUTHORITY\SYSTEM
Computer: SBS-DC
Reason: Account locked out
User Name: j.bloggs
Domain: PC004
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PC004

Thanks for the mention of the lockout tools - will give them a go.

Cheers,


--
AdamT
'Thank-you for not requesting read receipts'
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
Letting your vendors set your risk analysis these days? http://www.threatcode.com 

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to