Win2000 AD user account mass lockout - Strange !
From: Umiotoko (jseaman_at_venturiwireless.com)
Date: 06/23/04
- Next message: Yor Suiris: "Re: AD removal"
- Previous message: Tomasz Onyszko: "Re: Active Directory Installation"
- Next in thread: Dan Sime: "Win2000 AD user account mass lockout - Strange !"
- Reply: Dan Sime: "Win2000 AD user account mass lockout - Strange !"
- Messages sorted by: [ date ] [ thread ]
Date: 23 Jun 2004 10:13:01 -0700
Very strange - We had a mass lockout of every user account in AD
yesterday. It was traced to a laptop running WinXP-SP1.
A check of the Security log on the DC shows about 3000 failure audits
over a 2 minute period, at least 10 per user account. It has somehow
walked the AD tree as it's tried everything across multiple OU's
including disabled user accounts.
The laptop is running Symantec Antivirus Corporate 8.1 with
definitions from June 9th.
Anyone ever seen anything like this?
Event Log Sample
================
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 6/22/2004
Time: 12:07:02 PM
User: NT AUTHORITY\SYSTEM
Computer: xxxxxxx-x
Description:
Logon Failure:
Reason: Account locked out
User Name: joeuser
Domain: VENTURI-SA5BUXB
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VENTURI-SA5BUXB
- Next message: Yor Suiris: "Re: AD removal"
- Previous message: Tomasz Onyszko: "Re: Active Directory Installation"
- Next in thread: Dan Sime: "Win2000 AD user account mass lockout - Strange !"
- Reply: Dan Sime: "Win2000 AD user account mass lockout - Strange !"
- Messages sorted by: [ date ] [ thread ]
