I love clients like that. For all their stupidity, they keep us in work :-)
On 11 September 2013 15:42, Webster <[email protected]> wrote: > Sorry this page:**** > > ** ** > > http://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx**** > > ** ** > > *[image: note]**Note * > > Microsoft does not recommend that you use this tool on servers that host > network programs or services. You should not enable ALockout.dll on > Exchange servers because the ALockout.dll tool may prevent the Exchange > store from starting.**** > > *[image: Important]**Important * > > Before you install the ALockout.dll tool on any mission-critical computer, > make a full backup copy of the operating system and any valuable data.**** > > ** ** > > Since two of their DCs also host mission critical stuff (like 20 > production SQL databases) and they have never, ever tested their backups, > the request to install was denied.**** > > ** ** > > Thanks**** > > ** ** > > ** ** > > Webster**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kennedy, Jim > *Sent:* Wednesday, September 11, 2013 9:34 AM > > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > ** ** > > I am missing the warnings, don’t see them on the page at all. I use it > often, it really helps.**** > > ** ** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Webster > *Sent:* Wednesday, September 11, 2013 10:31 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > ** ** > > I looked at that also but all the dire warnings on the page made the CIO > reject our request to install it.**** > > ** ** > > Thanks**** > > ** ** > > ** ** > > Webster**** > > ** ** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Tim Evans > *Sent:* Wednesday, September 11, 2013 9:16 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > ** ** > > I've found the Account Lockout and Management Tools at > http://www.microsoft.com/en-us/download/details.aspx?id=18465 very > helpful in tracking down lockout problems. Just yesterday, we found an > issue where Lync cached a bad password and would lockout a user immediately > after they made a VPN connection.**** > > ** ** > > …Tim**** > > ** ** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *David McSpadden > *Sent:* Wednesday, September 11, 2013 4:19 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > ** ** > > I am thinking that is going to be my case. I am logging in as a different > account on the same pc now to see if I get the failed logon requests.**** > > Email account is deleted from iphone for now. Still not seeing it but I > will continue on this path because I am loathe to build a new pc right this > minute. In the middle of a 16 man regulator team audit and get my > Virtualization equipment delivered this week. Kind of not in the mood for > this failed logon crap…I am really hoping it is not one of the other admins > messing with me…thanks for all your pointers up til now. I am using them > all to check things off that it isn’t. **** > > ** ** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *David L Herrick > *Sent:* Tuesday, September 10, 2013 4:11 PM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > ** ** > > I am loathe to admit it. However, I have seen similar when having setup a > test (scheduled task, or such) using my cred’s and “forgot” to go back and > change it until my password change initiated errors**** > > **** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Adm > *Sent:* Tuesday, September 10, 2013 12:58 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] RE: Logon sniffing tool**** > > **** > > Most of our login problems here are caused by Android device not getting > password updated.**** > > **** > > On Tue, Sep 10, 2013 at 3:42 PM, David McSpadden <[email protected]> wrote:* > *** > > Not rootkit, no conficker, but 3 logon hits on the dc’s from the dc’s > using my creds while I was offline scanning???**** > > **** > > **** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kelsey, John > *Sent:* Tuesday, September 10, 2013 11:45 AM**** > > > *To:* '[email protected]' > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > **** > > Had a similar issue here, I think it was a conficker variant causing the > problem. The event gave the address of the offending PC though so it was > easier to track down.**** > > **** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Webster > *Sent:* Tuesday, September 10, 2013 11:31 AM**** > > > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > **** > > After 3 days of looking, we gave up for now. But this will need to be > resolved before they do their AD migration into the parent company.**** > > **** > > Thanks**** > > **** > > **** > > Webster**** > > **** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *David McSpadden > *Sent:* Tuesday, September 10, 2013 10:23 AM**** > > > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > **** > > Have you found the bad process yet?**** > > I am watching my event viewer on the DC’s right now waiting for the hit so > I can then go into my Procmon and Netmon processes to find it on my machine. > **** > > **** > > **** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Webster > *Sent:* Tuesday, September 10, 2013 11:09 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > **** > > The built-in administrator account. Tens of thousands of 0x12 and 0x18 > every day.**** > > **** > > I saved and cleared all the event logs at 7PM on Wednesday and when we > showed up at 8AM Thursday there were already over 358,000 failed logon > attempts!**** > > **** > > Thanks**** > > **** > > **** > > Webster**** > > **** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *David McSpadden > *Sent:* Tuesday, September 10, 2013 10:02 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: Logon sniffing tool**** > > **** > > Just Domain admins?**** > > **** > > **** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Webster > *Sent:* Tuesday, September 10, 2013 10:54 AM > *To:* [email protected] > *Subject:* [NTSysADM] RE: Logon sniffing tool**** > > **** > > I faced the same issue last week. We were unable to determine the cause > of the mysterious attempts to lockout the domain admin administrator > account. There were no services or scheduled tasks that used that account > and even using “rundll32 keymgr.dll,KRShowKeyMgr” showed no cached > credentials on any of the computers.**** > > **** > > The DC’s security event logs are being flooded with 0x12 and 0x18 errors > for eventids 675 and 680.**** > > **** > > I am interested in also seeing what the lists suggests for tracking this > down.**** > > **** > > Thanks**** > > **** > > **** > > Webster**** > > **** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *David McSpadden > *Sent:* Tuesday, September 10, 2013 9:25 AM > *To:* [email protected] > *Subject:* [NTSysADM] Logon sniffing tool**** > > **** > > My machine is trying and failing to log into the domain about every 6 > minutes.**** > > What tool can I use to find the process, service, or program that is > attempting to log in with a bad password?**** > > Windows 8 64 bit failing with a 2008 AD.**** > > Event id 675 code 0x18**** > > **** > > **** > > *Thank you***** > > * ***** > > *David W. McSpadden***** > > * ***** > > *B*egin Planning**** > > *A*rrange for Reconnaissance and Coordination**** > > *M*ake Reconnaissance**** > > *C*omplete Plan**** > > *I*ssue Order**** > > *S*upervise**** > > **** > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited.**** > > **** > > Please consider the environment before printing this email.**** > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited.**** > > **** > > Please consider the environment before printing this email.**** > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited.**** > > **** > > Please consider the environment before printing this email.**** > > This email and any attached files are confidential and intended solely for > the intended recipient(s). If you are not the named recipient you should > not read, distribute, copy or alter this email. Any views or opinions > expressed in this email are those of the author and do not represent those > of the company. Warning: Although precautions have been taken to make sure > no viruses are present in this email, the company cannot accept > responsibility for any loss or damage that arise from the use of this email > or attachments.**** > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited.**** > > **** > > Please consider the environment before printing this email.**** > > > > > -- > smsadm **** > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited. **** > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited.**** > > ** ** > > Please consider the environment before printing this email.**** > -- *James Rankin* Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk
<<image001.gif>>
