Re: [ActiveDir] Phantom Account Locks

Tue, 28 Feb 2006 10:16:05 -0800

If you've joined the domain, changing passwords is pretty transparent in SBS...and with a single DC not much is needed in the way of replication of passwords across the domain if ya know what I mean.
I honestly have not seen a lot of account lockouts --unless someone was banging port 25 -- but if you had that you should see that in your firewall log files and the security logs would look differently (or at least that's been my experience in the newsgroups). 


My other wacko suggestion would be to scan this machine with a good 
"housecall" or other online virus/malware scanner?  Any other events 
right around these audit events?


[EMAIL PROTECTED] wrote:


Hi Adam,

Not sure if anyone has mentioned it or not,  You'll see this often if
someone has an RDP session open somewhere and changed his password
elsewhere.  Or if he was logged into another computer in another way when
he changed it.  Lots of times users "disconnect" instead of logging out.

HTH,
John




                                                                          
            AdamT                                                         
            <[EMAIL PROTECTED]                                             
            >                                                          To 
            Sent by:                  ActiveDir@mail.activedir.org        
            [EMAIL PROTECTED]                                          cc 
            ail.activedir.org                                             
                                                                  Subject 
                                      [ActiveDir] Phantom Account Locks   
            02/28/2006 09:52                                              
            AM                                                            
                                                                          
                                                                          
            Please respond to                                             
            [EMAIL PROTECTED]                                             
               tivedir.org                                                
                                                                          
                                                                          





Dear all,

I have one site, with one user whose account is getting locked out
daily on their SBS box.
My first thought was that this guy is a bit of a muppet, and can't
retain information like passwords for longer than a couple of hours.
When this turned out not to be the case, I figured he must have
something running on his computer, which is attempting to authenticate
using his ID and an old password.
I thought maybe it was a mapped drive, done with a net use command and
a username/password argument.  After that didn't pan out, I thought it
might be something running as a chron job or scheduled task, but that
hasn't worked out either.

Any pointers on what could be doing this?

Cheers,

--
AdamT
'Thank-you for not requesting read receipts'
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


 



--

Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/






















					Reply via email to