| Author |
Message |
BFT
Guest
|
 Posted:
Mon Jan 17, 2005 12:18 am Post subject:
Account lockouts |
|
|
I have a pretty big problem on my hands. I have account lockout occurring on
my network. I fond a SAM error in my system log that I tracked down to an
office over in Asia. I thought it might be a virus but was not. It seems to
be some type of spy ware called securenet.exe anyway it looks like it uses
the outlook address book and attempts to log on to active directory. Well I
have my lockouts set and it locked accounts all week. I finally got the admin
in that office to shut off those pc and reinstall them.
Any way here is the real problem I had been unlocking accounts all week
which equals thousands of unlocks. I printed my security log and the locks
didn’t show up. Now all weekend I have been watching the security log and
they seem to be appearing now.
Has anyone ever had this problem and if so what can I do to stop the locks
if the continue. I thought it might just be a backlog of active directory
transactions. Any ideas im at a loss. |
|
| Back to top |
|
 |
Ole Kristian Bangås
Guest
|
| Posted:
Mon Jan 17, 2005 12:18 am Post subject:
Re: Account lockouts |
|
|
=?Utf-8?B?QkZU?= <BFT@discussions.microsoft.com> wrote in
news:AABB3C61-B400-4467-9AB4-435F5FA3C077@microsoft.com:
| Quote: | I have a pretty big problem on my hands. I have account lockout
occurring on my network. I fond a SAM error in my system log that I
tracked down to an office over in Asia. I thought it might be a virus
but was not. It seems to be some type of spy ware called
securenet.exe anyway it looks like it uses the outlook address book
and attempts to log on to active directory. Well I have my lockouts
set and it locked accounts all week. I finally got the admin in that
office to shut off those pc and reinstall them.
Any way here is the real problem I had been unlocking accounts all
week which equals thousands of unlocks. I printed my security log and
the locks didn’t show up. Now all weekend I have been watching the
security log and they seem to be appearing now.
Has anyone ever had this problem and if so what can I do to stop the
locks if the continue. I thought it might just be a backlog of active
directory transactions. Any ideas im at a loss.
|
My first thought, since you apparently know the name of the executable,
is to greate a GPO denying that executable to run, and then start
cleaning up the system.
--
Ole Kristian Bangås |
|
| Back to top |
|
|
Mark Renoden [MSFT]
Guest
|
| Posted:
Mon Jan 17, 2005 12:18 am Post subject:
Re: Account lockouts |
|
|
Hi all
The following discusses general account lockout policy, troubleshooting and
tools:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
The tools can be downloaded from:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
A general approach I use to track these things down is to use
lockoutstatus.exe to find the DC's that are receiving the bad password
attempts, enable auditing on those DC's (or all DC's if a smaller
environment) and track the computers that are the source of the problem.
Once you know this you can use ALockout.dll to identify the offending
process (if it's a process). As you already seem to know which process is
at fault, the first two steps may assist you in identifying infected
clients.
Use AV, spyware cleaning software etc to resolve the problem.
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Ole Kristian Bangås" <ole_kristian_bangaas@hotmail.com> wrote in message
news:Xns95E15F13A295OleKristianBangaas@130.133.1.4...
| Quote: | =?Utf-8?B?QkZU?= <BFT@discussions.microsoft.com> wrote in
news:AABB3C61-B400-4467-9AB4-435F5FA3C077@microsoft.com:
I have a pretty big problem on my hands. I have account lockout
occurring on my network. I fond a SAM error in my system log that I
tracked down to an office over in Asia. I thought it might be a virus
but was not. It seems to be some type of spy ware called
securenet.exe anyway it looks like it uses the outlook address book
and attempts to log on to active directory. Well I have my lockouts
set and it locked accounts all week. I finally got the admin in that
office to shut off those pc and reinstall them.
Any way here is the real problem I had been unlocking accounts all
week which equals thousands of unlocks. I printed my security log and
the locks didnâ?Tt show up. Now all weekend I have been watching the
security log and they seem to be appearing now.
Has anyone ever had this problem and if so what can I do to stop the
locks if the continue. I thought it might just be a backlog of active
directory transactions. Any ideas im at a loss.
My first thought, since you apparently know the name of the executable,
is to greate a GPO denying that executable to run, and then start
cleaning up the system.
--
Ole Kristian Bangås |
|
|
| Back to top |
|
|
Joe Richards [MVP]
Guest
|
| Posted:
Mon Jan 17, 2005 9:59 am Post subject:
Re: Account lockouts |
|
|
Not sure why you didn't find the lockouts in your logs. The fact that they are
there now is good. :)
If you want to quickly find locked out accounts, swing by www.joeware.net and
look at the free windows tools and look for unlock. It is a tool that will very
quickly give you a list of all locked out accounts in a domain, it can also
unlock them all very quickly as well.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
BFT wrote:
| Quote: | I have a pretty big problem on my hands. I have account lockout occurring on
my network. I fond a SAM error in my system log that I tracked down to an
office over in Asia. I thought it might be a virus but was not. It seems to
be some type of spy ware called securenet.exe anyway it looks like it uses
the outlook address book and attempts to log on to active directory. Well I
have my lockouts set and it locked accounts all week. I finally got the admin
in that office to shut off those pc and reinstall them.
Any way here is the real problem I had been unlocking accounts all week
which equals thousands of unlocks. I printed my security log and the locks
didn’t show up. Now all weekend I have been watching the security log and
they seem to be appearing now.
Has anyone ever had this problem and if so what can I do to stop the locks
if the continue. I thought it might just be a backlog of active directory
transactions. Any ideas im at a loss.
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in