In-Reply-To: <[EMAIL PROTECTED]>
Does the user have any manually mapped network drives?
After a password change, we found that manually mapped drives tried to
reconnect using the old password and eventually locked the account out.
Deleting the mappings corrected the problem.
Mark R.
>Received: (qmail 20804 invoked from network); 25 Jun 2002 22:26:50 -0000
>Received: from outgoing3.securityfocus.com (HELO
outgoing.securityfocus.com) (66.38.151.27)
> by mail.securityfocus.com with SMTP; 25 Jun 2002 22:26:50 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[66.38.151.19])
> by outgoing.securityfocus.com (Postfix) with QMQP
> id D5782A30B5; Tue, 25 Jun 2002 16:28:44 -0600 (MDT)
>Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
>Precedence: bulk
>List-Id: <security-basics.list-id.securityfocus.com>
>List-Post: <mailto:[EMAIL PROTECTED]>
>List-Help: <mailto:[EMAIL PROTECTED]>
>List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
>List-Subscribe: <mailto:[EMAIL PROTECTED]>
>Delivered-To: mailing list [EMAIL PROTECTED]
>Delivered-To: moderator for [EMAIL PROTECTED]
>Received: (qmail 395 invoked from network); 24 Jun 2002 11:30:51 -0000
>Date: Mon, 24 Jun 2002 13:40:30 -0400
>Message-Id: <[EMAIL PROTECTED]>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: quoted-printable
>From: "Lists" <[EMAIL PROTECTED]>
>Reply-To: <[EMAIL PROTECTED]>
>X-Sender: <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>,
> <[EMAIL PROTECTED]>
>Subject: NT4 Account keeps getting locked out!
>X-Mailer: <IMail v6.05>
>
>
>Network info:
>
>NT 4 server network with W2KPro clients.
>
>
>Situation:
>
>We have a user that keeps getting their NT account locked out for reasons
t=
>hat we are not yet aware. Unable to get much info from Event Viewer on
NT4=
> servers or W2KPro client. Don't know if this is being done by someone
int=
>entionally (somewhere on the network or from the client's computer) just
to=
> give us a hard time, or a rouge program somewhere on the network or
client=
>'s computer trying to logon as that
>user. At this time, we are not ruling anyone out, everyone is suspect.
We=
> have replaced the client's computer (not totally, user copied shortcuts
an=
>d some files back to the new desktop...I know, if it was up to me they
woul=
>d not have been allowed to do this, but it's not up to me) and the
account =
>is still getting locked out. We are in the process of creating a new NT
ac=
>count for this user and see if it still occurs.
>
>
>Bottom Line:
>
>We need to find out what is causing this account to get locked out and
prev=
>ent it from happening again.
>
>
>Some thoughts:
>
>Is there third party software that will be able to determine what is
causin=
>g this account to get locked out? Some sort of sniffing program on the
ser=
>ver or the client to find out what program is trying to logon with this
acc=
>ount and from where?
>
>If this is a user doing this intentionally, what are they doing and from
wh=
>ere? Are they trying to connect remotely to the client=92s registry, or
to=
> a share on the
>client computer?
>
>Is there third party software that can help?
>
>Any suggestions/recommendations welcome.
>
>
>
>Thanks,
>Jack
>
>
>
>