Classification: UNCLASSIFIED Caveats: NONE Or Set up this query in ADU&C, somewhat useful....
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips /ActiveDirectory/FindAllLocked-OutAccounts.html From: Greg Olson [mailto:[email protected]] Sent: Friday, November 20, 2009 2:33 PM To: NT System Admin Issues Subject: RE: Conficker Help! Go grab the trial version of NetWrix Account lockout Examiner: http://www.netwrix.com <blockedhttp://www.netwrix.com> It will monitor your domain controllers and look for lockout's and report what machine there coming from. From: Orland, Kathleen [mailto:[email protected]] Sent: Friday, November 20, 2009 6:08 AM To: NT System Admin Issues Subject: Re: Conficker Help! That's what I did with my Conficker hit earlier this year. Also, in spite of the fact it looked as though everyone was infected and popping up virus alerts we really only had one infected laptop. McAfee (not my choice to run) was popping up alerts on every PC every time the one infected PC tried to use a bad password. I was able to determine alot from checking 1) bad password attempts 2) McAfee logs. ----- Original Message ----- From: Mayo, Bill <blockedmailto:[email protected]> To: NT System Admin Issues <blockedmailto:[email protected]> Sent: Friday, November 20, 2009 8:41 AM Subject: RE: Conficker Help! Look for multiple bad password attempts coming from the same source. ________________________________ From: Kelsey, John [mailto:[email protected]] Sent: Friday, November 20, 2009 8:34 AM To: NT System Admin Issues Subject: Conficker Help! Looks like we're getting hit the Conficker this morning. Sophos is reporting several hundred 'conficker detected/cleaned' messages, so at least its catching it...BUT....how do I determine the source of the infection? Something I can look for with wireshark or something? Apparently there are some unprotected machines on the network. Any suggestions are welcome! ******************************* John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 2 : 814.375.4005 *: [email protected] <blockedmailto:[email protected]> ******************************* This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Classification: UNCLASSIFIED Caveats: NONE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
