| Author |
 Topic  |
|
|
timcunnell
Here To Stay
284 Posts
Status: offline |
 Posted - 01/09/2012 : 12:22:11 PM
|
Hi guys
I wonder if anyone might be able to help me out with a problem I am experiencing with our domain.
For a few weeks now we've had problems with user accounts continually being locked out. I am running failure auditing for security events and keep seeing a lot of 675 and 680 error events.
I've had to change our Group Policy settings to automatically unlock locked accounts after 5 minutes, but this isn't ideal!
The events seem to suggest that login failures are occuring on one particular domain controller, but looking at the server I can't detect what the issue might be. The server is Windows 2008 R2 Standard SP1. It is fully up to date with all Microsoft patches and antivirus etc.
Any advice or help with this would really be appreciated!
|
|
|
cj_berlin
Honorable But Hopeless Addict
Germany
3964 Posts
Status: offline |
Posted - 01/09/2012 : 1:24:09 PM
|
| Echange and smartphones with wrong saved creds trying to access ActiveSync? |
Evgenij Smirnov
|
 |
|
|
timcunnell
Here To Stay
284 Posts
Status: offline |
Posted - 01/09/2012 : 1:48:19 PM
|
Hi CJ. Thanks for your message. Sorry though, I have realised that there is extra info that I should really have mentioned!
This domain has around 200 users divided between six OU's, and the issue is affecting ALL user accounts. It seems that one OU at a time is affected, and accounts lockout in alphabetic order. We have some system accounts which never get used and even these are locking out so I am convinced it's something automated.
To be honest I was suspecting this was a virus but at the moment the bad login attempts are all coming from this one DC, and I have AVG up to date and scanned today. Also scanned using MSRT and loaded on all available Windows updates.
So that's about it! A fairly major issue, and I am totally stumped!! |
|
|
|
JSCLMEDAVE
Administrator
USA
6116 Posts
Status: online |
Posted - 01/09/2012 : 1:55:00 PM
|
| You have some 3rd party tool checking user account complexity that could be performing a brute attack internally? I mistakenly did that with eEye one time... |
Tim-
“This too shall pass" |
|
|
|
timcunnell
Here To Stay
284 Posts
Status: offline |
Posted - 01/09/2012 : 1:59:31 PM
|
To be honest I think you're right! But I'm not sure how I can find out where it's coming from? The only non-standard tool that I use is ADHelpdesk Lite for iPhone, but I think that is trustworthy?
Like I said earlier, all these bad password attempt events are originating from the same DC, and looking at that today it looks pretty clean! |
|
|
|
Xenophane
Honorable But Hopeless Addict
Denmark
3070 Posts
Status: online |
|
|
timcunnell
Here To Stay
284 Posts
Status: offline |
Posted - 01/10/2012 : 04:05:16 AM
|
I don't know if this helps at all, but the 680 events I am seeing all display:
"Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" |
|
|
| |
Topic |
|
User Accounts keep being locked-out!
