Re: Account lockouts
From: Mark Renoden [MSFT] (markreno_at_online.microsoft.com)
Date: 01/16/05
- Next message: John Negus: "Re: Problems setting stie options"
- Previous message: Ole Kristian Bangås: "Re: Account lockouts"
- In reply to: Ole Kristian Bangås: "Re: Account lockouts"
- Next in thread: Joe Richards [MVP]: "Re: Account lockouts"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 17 Jan 2005 10:49:33 +1100
Hi all
The following discusses general account lockout policy, troubleshooting and
tools:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
The tools can be downloaded from:
A general approach I use to track these things down is to use
lockoutstatus.exe to find the DC's that are receiving the bad password
attempts, enable auditing on those DC's (or all DC's if a smaller
environment) and track the computers that are the source of the problem.
Once you know this you can use ALockout.dll to identify the offending
process (if it's a process). As you already seem to know which process is
at fault, the first two steps may assist you in identifying infected
clients.
Use AV, spyware cleaning software etc to resolve the problem.
Kind regards
-- Mark Renoden [MSFT] Windows Platform Support Team Email: markreno@online.microsoft.com Please note you'll need to strip ".online" from my email address to email me; I'll post a response back to the group. This posting is provided "AS IS" with no warranties, and confers no rights. "Ole Kristian Bangås" <ole_kristian_bangaas@hotmail.com> wrote in message news:Xns95E15F13A295OleKristianBangaas@130.133.1.4... > =?Utf-8?B?QkZU?= <BFT@discussions.microsoft.com> wrote in > news:AABB3C61-B400-4467-9AB4-435F5FA3C077@microsoft.com: > >> I have a pretty big problem on my hands. I have account lockout >> occurring on my network. I fond a SAM error in my system log that I >> tracked down to an office over in Asia. I thought it might be a virus >> but was not. It seems to be some type of spy ware called >> securenet.exe anyway it looks like it uses the outlook address book >> and attempts to log on to active directory. Well I have my lockouts >> set and it locked accounts all week. I finally got the admin in that >> office to shut off those pc and reinstall them. >> >> Any way here is the real problem I had been unlocking accounts all >> week which equals thousands of unlocks. I printed my security log and >> the locks didnâ?Tt show up. Now all weekend I have been watching the >> security log and they seem to be appearing now. >> >> Has anyone ever had this problem and if so what can I do to stop the >> locks if the continue. I thought it might just be a backlog of active >> directory transactions. Any ideas im at a loss. > > My first thought, since you apparently know the name of the executable, > is to greate a GPO denying that executable to run, and then start > cleaning up the system. > > -- > Ole Kristian Bangås
- Next message: John Negus: "Re: Problems setting stie options"
- Previous message: Ole Kristian Bangås: "Re: Account lockouts"
- In reply to: Ole Kristian Bangås: "Re: Account lockouts"
- Next in thread: Joe Richards [MVP]: "Re: Account lockouts"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
