I've seen this before and it was generally something like a service that was
running as that user but logging in with the incorrect ID.
Also, I've seen Outlook Web Access do this. A browser window is closed, as
opposed to using the "Log Off" button so they don't get logged out and the
OWA server constantly pounds the DCs trying to log the person in. If
they've changed their password recently, then OWA pounds away with the
incorrect password and causes lockouts.
Bouncing the OWA box generally took care of the problem
Anyway, the first thing to do is check the event viewer on your PDC. Under
the security area, there should be an entry in there showing when the user
was locked out and what machine they were trying to log in from when they
were locked out.
The message will show up a "success audit" in the logs. The following is a
snippet from our logs with the details changed.
User Account Locked Out:
Target Account Name: personwhoforgetspassword
Target Account ID: B-L-A-H0-BLAHBLAH0-yackity00-smackity00-0000
Caller Machine Name: \\machineofpersonwhoforgetspassword
Caller User Name: SYSTEM
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x773
Anyway, find the user's name in the Target Account Name and go to the Caller
Machine Name and concentrate your efforts on that machine.
Basically, I doubt very seriously that there is someone doing this
intentionally but you never know. Good luck. Let us know how it works out.
Collin Douglas
Senior Network Administrator
MidFirst Bank
-----Original Message-----
From: Lists
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: 6/24/02 12:40 PM
Subject: NT4 Account keeps getting locked out!
Network info:
NT 4 server network with W2KPro clients.
Situation:
We have a user that keeps getting their NT account locked out for
reasons that we are not yet aware. Unable to get much info from Event
Viewer on NT4 servers or W2KPro client. Don't know if this is being
done by someone intentionally (somewhere on the network or from the
client's computer) just to give us a hard time, or a rouge program
somewhere on the network or client's computer trying to logon as that
user. At this time, we are not ruling anyone out, everyone is suspect.
We have replaced the client's computer (not totally, user copied
shortcuts and some files back to the new desktop...I know, if it was up
to me they would not have been allowed to do this, but it's not up to
me) and the account is still getting locked out. We are in the process
of creating a new NT account for this user and see if it still occurs.
Bottom Line:
We need to find out what is causing this account to get locked out and
prevent it from happening again.
Some thoughts:
Is there third party software that will be able to determine what is
causing this account to get locked out? Some sort of sniffing program
on the server or the client to find out what program is trying to logon
with this account and from where?
If this is a user doing this intentionally, what are they doing and from
where? Are they trying to connect remotely to the client's registry, or
to a share on the
client computer?
Is there third party software that can help?
Any suggestions/recommendations welcome.
Thanks,
Jack
.
.
Privileged/Confidential information may be contained in this message.
If you are not the addressee indicated in this message
(or responsible for delivery of the message to such person),
you may not copy or deliver this message to anyone.
In such case, you should destroy this message and
kindly notify the sender by reply e-mail.
Please advise immediately if you or your employer
does not consent to Internet messages of this kind.
Opinions, conclusions and other information in this message
that do not relate to the official business of my firm shall be
understood as neither given nor endorsed by it.
begin 600 winmail.dat
M>)\^(C(.`0:0"``$```````!``$``0>0!@`(````Y`0```````#H``$(@`<`
M&````$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`06``P`.````T@<&`!H`
M"0`L`"X``P!?`0$@@`,`#@```-('!@`:``D`*P`P``,`8`$!"8`!`"$```!%
M138R-44S-S=&.#A$-C$Q0C@Q0S`P.3`R-SA!1C,U00`G!P$$@`$`*@```%)%
M.B!.5#0@06-C;W5N="!K965P<R!G971T:6YG(&QO8VME9"!O=70A`"D.`0V`
M!``"`````@`"``$#D`8`/`X``#`````#`/T_Y`0``!X`_#\!````%P```$QI
M<W1S0&IA8VMM8V-A<G1H>2YC;VT```,`WS______'@!#$`$````P````/&UA
M:6QT;SIS96-U<FET>2UB87-I8W,M:&5L<$!S96-U<FET>69O8W5S+F-O;3X`
M'@!%$`$````W````/&UA:6QT;SIS96-U<FET>2UB87-I8W,M=6YS=6)S8W)I
M8F5`<V5C=7)I='EF;V-U<RYC;VT^```>`$00`0```#4````\;6%I;'1O.G-E
M8W5R:71Y+6)A<VEC<RUS=6)S8W)I8F5`<V5C=7)I='EF;V-U<RYC;VT^````
M``,`WC^O;P```@%Q``$````;`````<(<E\H--UYB[XA_$=:X'`"0)XKS6@`A
M7X%W`$``.0`0ORL$(!W"`0,`\3\)!```'@`Q0`$````(````0T],3$E.1``#
M`!I``````!X`,$`!````"````$-/3$Q)3D0``P`90``````"`0D0`0```%,(
M``!/"```P0\``$Q:1G5T[P<9AP`*`0T#0W1E>'0!]_\"I`/D!>L"@P!0`O,&
MM`*#)C(#Q0(`8V@*P'-EV'0P(`<3`H!]"H`(SS\)V0*`"H0+-Q+"`=`@23`G
M=F4@$Z`)\"!T\F@$`"!B`1`%L!@``'!(9"!I!4!W800@9^<)\`20!T!L>1@0
M`W`3L($8@&YG(&QI:QD181@1<G9I8Q@`&'!A\1F$<G5N`P`:\1FQ'!,V=1N1
M&+!U!4`4T&=G[QKB"X`9D!EP:!AA&``+@(L%H15`8P5`240N"J-3"H4*@$%L
M&H`L%\E/`QX`%-!O:R!796)-$^!C&^`$$61O&&,N[B`3X!BP`V!W';(#\!E`
MMR0P&6`$(&,4T!.@9"%@\1FQ;W!P)5(88"-@':!S&N(?,B),'D`B$`$@(G\=
MXB9@`Z`:@!\B&F`C4&[^)P5`&>`>%"8Q"&`%0!DR^1\R3U<C\!N2'<$%H`"`
MWP&0`C`:428`'+!D'3(8`.1$0QTQ<GDFLR-@'C%]'R-P!)`:@`.@"X`CP4E^
M9BAC%^(381KP)C(?0&GW!<`*L`00=P6P&5`?P0GPORNQ(6`?,2(!*J$K]6$9
MH)\:8![O!4`P5QDR8V$=H7,$(!308VLIT2.P($Q"W2P!8R:V*I(&X'@9V29@
M]R)Q--`9`6\NTRO@`V`"8&1E;2!-;GDRD3%C(/YF,"`K<!AB+20C424"'T#;
M-6`?(V47\`(P(!O`!]#+'<$H$7D(82!0+*`CP5Y5&4`=P1\R$Z!C"'%TFQI@
M.0%A,6,9`7-H"&#^;!E0&,`9(3V@`C`L\!ZB]T#W))$;`'<QDA\R':,9HO\U
M0BFI0Y`<,0#!&M$;\BB1_SY!&_$L^QZQ`U)#AT:E1+C-(#U4'T$'@7-A&>`R
MP1<:0$,#'9!P&V$B<W7[(O0TX&09<">P0H0>(B.R_TKR`A`:0$,T&)$;<0,`
M)?#_*3%((S["3A(RR`$``9`#$/<\\B^3(#U5';(BX2P!!4#W)T!$TR(A.B!%
M`S`!D4YPYPK`*2)3UDYA!X!4\%62WRX$0Y`Y0`6P*2%S,%95#P=6&2`05P1"
M+4PM00`M2#`M0DQ!2*M;LEN0>0#0:T!1,%N0OG,`P5R%7,!<P%CK0QHQ[1W!
M348%5LA<8$%%]3E`'U=O6']>B%.#5LA365/85$5-8I\=P40#<0N`"5<$3E03
MX%542$_P4DE4664O'<$G02@105JF*#!X,"QJ$#=\-S,@3#J=.\`J)1VB)_T$
M(&Y6T4V65=]MD1DR:4#_)E(?,EZ_;T4K03$"&B`.\/\^I`$1%.$EP1A21<@U
MSAFPSQO0&C(A82-!=6(]\020]QIA!G$(8',X<APB0/08D?<:@@(@48%O)K08
MD0N`#O#_`C!V\&UP&D(=\CZQ;6`]L=D%P&MN)#`CP4<B8!E0=PI`-6`CP4PI
M,1V@>R,@]TP2&7(%L&LEP4GO"%`:0/,>L69@=6<+8!,P(%0&8#<#``6Q!\!T
M?9(3X&1M'PN`!`!R,@6P($5-:61F1CO3=4!N:VJO('(M_82R3P40'F$'0`70
M2T2$LW4@148#83I40(&A?^94CF^'`$,A)F!`3$EDX&!315)6+F<@B,!#1E5G
MHHD`150[/_<MLF)U4G-`&R"'02Y`!G\"$$`@([`%H#H6@&%4X"``-B\R-"\P
M,B!0,3(Z-!/04&464]UV,&H?T8<`9R`T4\<;0+QE<!G"`D`:XT3'(8-O_R!R
M@-8+@`(0AP"2'6<PCW`/*M4:`(#T,M-7,DM0_P-@)2$(D`(P([*3S7_V&7"^
M=1PP>=&3OB*@?1!A%_'_&W`=HQP3D!PO]&<A`-!3]/]$N1CA($5`H2XQ'34^
M0$""_6U@;WIQ*3$R@15`/S,!H/<Y\"92*2)M3,`?$)-R2!3V13W"($56/B>/
M4BK4)<'_!<"62R/!9F`HXGS3!I!Y%=\8HAKA($4HP1@`8AID>(+]>7PH&H)#
MD3D20\25=@6QOT@C'S$@19:T;4&,47`>`'$$D"D@:AV@/`&A@6G_%_%\H1MP
M$W$F00=Q(6`%L?\;<`-@?Z`YDPG`5M`@1:H__ZM)K.\LW"@1'28@11VB(\+_
M/`,=,:^3GYD<H']!'0$[$/]X@BG1(6!ZXKC3>!(=H"X`_Q_@(#::1A5`"U$;
MX"HTLS]_:?"@`B9@`9!UHQVC!:!P_PB06-9!40`@0"!S,1DR&H+_.[$Y\!BA
M7&%OUAH`!^`!`.1S:R9@<"["D'7P>S+_(6"FT1EU3%`@129A;9%&=/]!<Z`"
MFG,8P!A!&C$D,"8T_R-5(6`=\AEP;4*@$4Q1)F#_($4'@*WP*A:<]G@2><!+
MT?^0?Z7BFD$Y`DVE.;$C`B!%_SE!!0!`L)"C&W#!XIS)&.'_&&0=H\`S">##
M-<JD-5!`(?\CL9=O-G0G\4A0AR`:`)E/_ZLB)C1L<RG21:,E`C3A>.?_G/:A
M=42\($4YL#VT&7%((_<3<$_A'-1G"W'2;X`%P(+;&'!_D6@UH).^22Q#1N+_
M&(`PL0JQ0&$:@`&`H)(<!?]+PD'"H351H020@7%+D=;4[ZQVUU_8;RG1/R/0
MW;,:@/\`(#DR3[$!(!KBL)RR%2K5_\_SO%;5_["&)/*T72!%,M7_Y-D9,D@F
M%4#FD-ZMINB:Q?]XSWG5MW$<(N$D*).X=.\D_^UV[Z03X495+.@K01H`'^$?
M%4`$8`[P.'.\*5PG.?HR'(%E'F"!L3%1@@<F8?\;<1-QL?>L>ZUG[^_?G^"O
MYW6``Z`?0&QP_7X[`;HA]RF!RJ$K42\?P0@0!X`90/^8\U#Q^%",4:#!W&]*
M2X,QN\=Q($5*7&$%+R!R?0D```,`)@```````P`V```````>`'```0```"8`
M``!.5#0@06-C;W5N="!K965P<R!G971T:6YG(&QO8VME9"!O=70A`````@$_
M``$```!-`````````-RG0,C`0A`:M+D(`"LOX8(!`````````"]//4U&0B]/
M53U-241,04Y$7T=23U50+T-./5)%0TE0245.5%,O0TX]0T],3$E.1``````>
M`'4``0````4```!33510`````!X`=@`!````'````$-O;&QI;BY$;W5G;&%S
M0&UI9&9I<G-T+F-O;0`>`$```0````\```!#;VQL:6X@1&]U9VQA<P``'@`T
M0`$````(````0T],3$E.1``"`5$``0```#0```!%6#HO3SU-1D(O3U4]34E$
M3$%.1%]'4D]54"]#3CU214-)4$E%3E13+T-./4-/3$Q)3D0``P`;0``````+
M`%<```````L`6```````"P!9```````"`4<``0```#````!C/553.V$](#MP
M/4U&0CML/4U'+4580TA34E92,BTP,C`V,C8Q-#0T-#9:+3,R-``"`?D_`0``
M`$T`````````W*=`R,!"$!JTN0@`*R_A@@$`````````+T\]349"+T]5/4U)
M1$Q!3D1?1U)/55`O0TX]4D5#25!)14Y44R]#3CU#3TQ,24Y$`````!X`^#\!
M````#P```$-O;&QI;B!$;W5G;&%S```>`#A``0````@```!#3TQ,24Y$``(!
M^S\!````30````````#<IT#(P$(0&K2Y"``K+^&"`0`````````O3SU-1D(O
M3U4]34E$3$%.1%]'4D]54"]#3CU214-)4$E%3E13+T-./4-/3$Q)3D0`````
M'@#Z/P$````/````0V]L;&EN($1O=6=L87,``!X`.4`!````"````$-/3$Q)
M3D0`0``',(+>0UT='<(!0``(,,1,H^$?'<(!'@`]``$````%````4D4Z(```
M```>`!T.`0```"8```!.5#0@06-C;W5N="!K965P<R!G971T:6YG(&QO8VME
M9"!O=70A````'@`U$`$```!!````/$4P.3<U-3<R-C`T-$9%-#DY1C$U,S@X
M03`S-D(R-T-%,D,U0D!M9RUE>&-H<W)V<C(N;6ED9FER<W0N8V]M/@`````+
M`"D```````L`(P```````P`&$-V;K^H#``<03PH```,`$!```````P`1$```
M```>``@0`0```&4```!)5D53145.5$A)4T)%1D]214%.1$E45T%31T5.15)!
M3$Q94T]-151(24Y'3$E+14%315)624-%5$A!5%=!4U)53DY)3D=!4U1(0515
M4T520E543$]'1TE.1TE.5TE42%1(14E.``````(!?P`!````00```#Q%,#DW
M-34W,C8P-#1&130Y.48Q-3,X.$$P,S9",C=#13)#-4)`;6<M97AC:'-R=G(R
4+FUI9&9I<G-T+F-O;3X`````8FT=
`
end
