Account lock out

[mrg81]

Hi,

there is an employee in my company and her account in the active directory is getting locked out time and again. The machine has Win 2K professional service pack 4. also she doesnot make any mistake while typing in her password, so no log in failures. can some one help. Is any one else trying to access her account also ?

MRG.

[GSXR600K1]

have you tried looking at her machine and making sure that she does not have any password saved. also look at the secuirty logs on the DC and see if she is logged in on another terminal with an old password.

[thehorse13]

The account lockout threashold is being triggered. It seems that indeed someone else is attempting to use her credentials. Give the AD admins a call and have them start logging the account. This way they can see when the failed attempts are made.

--TH13

[RoadClosed]

That is normally the first indication of a would be intruder. Does the event log have several failed login attempts outside the normal lockout duration? This intruder could be trying to access her machine or elevate privy, or she is trying to elevete privy (priveledge) to other machines and AD is locking her out. As usual the logs will tell.

[ss2chef]

Often one of the many new worms going around will hammer away at common accounts trying to guess the password. Remember this does not have to be from the users workstation per se.
Check workstations task manager for strange .exe's running.


Make sure logging is turned on for failed login attempts.

Event viewer will report the failure and each entry will also contain with IP/HOSTNAME/Netbios name of the node attempting the login.

Another possibility is a service is setup to use that users account to start and if a password has recently changed, often the password info in the service profile is not changed. Check that too.

What AV software is running on the workstations? Make sure patterns are updated.

[Tiger Shark]

Make sure the user doesn't have a scheduled job like a backup or similar running in her context. If she has and she recently changed the password then the password for the job needs to be changed.

That's the most usual way to get these type of lockout IME.

[mrg81]

I did give a call ,, Meanwhile i have one more question, With another employee, todaybmorning when he tried to log in he got an error saying the account for your computer doesnot exist or your password is incorrect, Then his machine was brought down from the domain and re joined in the domain. Now he said that he was able to logg in correctly till yesterday night, today morning this problem arises, The domain admins have no idea as to why his computer was disjoined from the domain.

please help.

MRG.

[mrg81]

Another possibility is a service is setup to use that users account to start and if a password has recently changed, often the password info in the service profile is not changed. Check that too.

How do i do that, is this by going into administrative tools and then checking which service ?

Thanks

MRG.

[ss2chef]

Originally posted here by mrg81
Another possibility is a service is setup to use that users account to start and if a password has recently changed, often the password info in the service profile is not changed. Check that too.

How do i do that, is this by going into administrative tools and then checking which service ?

Thanks

MRG.

In the services manager, you can look at each service to see which account is used to start the service.

Look at the "log on as" section to see which account is used.
If you need to edit the info, double click the service and choose the "log on" tab.

[mrg81]

I did that, Every service that I clicked on said local system account.

MRG.