OK, here's a teaser...
All of our AD accounts are gradually being locked out. I have one guy searching for locked out accounts and unlocking them (and they do not get re-locked out) but with 2500 accounts this is more than a PITA. Now, this stinks of a brute force attack on an enumerated list of accounts on the network (we allow 10 attempts then lockout for 30mins), but we can't find _anything_ that looks like this. To compound matters, we have also had a small outbreak of WORM_DOWNAD.AD which has been contained and managed well, but I think this is a red herring as that worm's symptoms are nothing like what we are seeing (and there is no correlation). Does anyone know of a way to find out what processes are attempting to make a logon attempt (we have about 10 DCs spread about the place) to an account - bearing in mind it could be any one of 2500 accounts? Also, is it possible to find out where the logon attempt that caused an account lock came from? Cheers, and TIA, Andy. Andy Crellin Technical Services Manager Leonard Cheshire Disability Telephone: 01904 479200 Email: [email protected] Change the way you see disability. Find out more at www.CreatureDiscomforts.org <http://www.creaturediscomforts.org/> Our London Marathon places are almost sold out! Call 020 3242 0376 now to reserve one of the last few places available, or e-mail [email protected] Internet communications are not secure and therefore Leonard Cheshire Disability does not accept any liability for the content of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Leonard Cheshire Disability. If you have received this transmission in error, please contact the sender and delete it immediately. Leonard Cheshire Disability is a company limited by guarantee, registered in England no: 552847, and a registered charity no: 218186 (England & Wales) and no: SC005117 (Scotland) VAT no: 899 3223 75. Registered office: 66 South Lambeth Road, London, SW8 1RL. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
