Re: all domain accounts locked out !!!

From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx>
Date: Fri, 14 Oct 2005 02:08:58 -0500

Microsoft recommends that you use a lockout threshold of no less than 10
attempts and as many as 50 if you use account lockout assuming you have
enforced complex passwords in your domain ideally with a password length of
at least eight characters. Even with a threshold of 50 that is plenty
adequate to defend against brute force password attacks against complex
passwords.

If you scan your network with a vulnerability assessment tool like MBSA that
can lockout accounts as it will try a number of weak passwords as part to
the vulnerability scan. Worms can also lockout accounts though they usually
target the administrator account. Also check the security logs on the domain
controllers and domain workstations for failed logon attempts that may give
you a clue as to what is going on. The failed logons will have a timestamp
for instance that may be helpful information. To get the information you
need you should enable auditing of "account logon" events for success/
failure, "logon" events for failure only, and account management events for
success and failure. In Domain Controller Security Policy enable auditing
of "logon" events for success and failure. --- Steve

"Misaro" <Misaro@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:07A71B36-4FEB-4A60-BD3D-92C8E63FBED6@xxxxxxxxxxxxxxxx
> Incredible !
>
> All domain users accounts got locked out !! I have no idea what was the
> reason to happened this situation .Thanks god I had a open console in my
> computer to access the LDAP !!
>
> The default domain group policy shows me :
> Account Lockout Policy was
> -Account lockout duration =
> 30minutes
> -Account lockout threshold = 6
> attemps
> -Reset account lockout after =
> 30 minutes
>
> Now , the policy shows Account lockout threshold = 0 invalid attemps,
> while i keep researching the possible cause of this critical issue.
>
> How did I fixed it = umm i just run the microsoft's Lockout Status tool
> trying to unlock accounts and suddenly all accounts came back to " unlock
> user state".
>
> I will thanks any comments !!!
>
>

.

Prev by Date: Re: Hang @ Applying Computer Settings/Applying Your Personal Setti
Next by Date: Re: Protect a File From Deleting
Previous by thread: Protect a File From Deleting
Next by thread: Software Distribution using Group Policy
Index(es):
- Date
- Thread

Relevant Pages

Re: Account Lockout
... Enable auditing and look for lockout ... From the lockout events, determine which clients they originate from. ... >>> Do this via a GPO and watch for failed logon attempts. ... I have a user's account that is getting ...
(microsoft.public.win2000.active_directory)
Re: Account Lockout
... If the cached credentials go out of date (or if they have ... locked out due to autmoatic logon retries with bad passwords. ... The account lockout> seems to occur while the user is still logged in. ...
(microsoft.public.win2000.security)
Re: Username Vulnerability???
... Open Server Manager> highlight the PDC ... Password Policy and Account Lockout Policy are both ...
(microsoft.public.windows.server.general)
Re: OU group policy and how to use ldapsearch to find GPO settings
... The account is a domain account. ... Account Policies effective for all domain accounts. ... Your ldap query is seeing the settings that are in use for the domain. ... If I configure the account lockout policy in the default domain policy, ...
(microsoft.public.windows.group_policy)
Re: Replication of password resets/unlocks
... Assuming that the reg key AvoidPDCOnWan isn't set passwords will be sent immediately out of band to the PDC when changed on a local machine. ... I haven't dug into the specifics but I believe that occasionally it will check with the PDC to see if the account has been unlocked but not for every auth attempt, this is so a PDC will not be overwhelmed by attempts to auth a locked account. ... The idea behind auto lockout is to prevent brute force systems from sending thousands of passwords an hour to crack a password, if that is the case, then setting the lockout policy to 25 bad attempts and locking the account out for say 5 minutes is just as good from a security perspective; it will seriously impact the ability for a brute force attack. ... From the usability standpoint, it will only lockout users who have really screwed up with their password and give them just enough time to realize they really screwed up but take less time than a call to the helpdesk for an unlock and replication of the unlock meaning that if they call the helpdesk for a rest, the only mechanism that comes into play is the one in the first paragraph above which works fine. ...
(microsoft.public.windows.server.active_directory)