All users locked out

[John Renkar]

We are having a problem where all our user accounts are getting locked out
at the same time. Any suggestions as to what to check?

[Marcin]

John,
how many users does this apply to? Do the lockouts take place at exactly the
same time? Does this happen in regular intervals? What are your password
policy settings?
Take a look at http://technet.microsoft.com/en-us/l.../cc773155.aspx and
http://technet.microsoft.com/en-us/l.../cc738772.aspx - these might help
you in search for clues...

hth
Marcin

"John Renkar" <jrenkar@sprynet.com> wrote in message
news:%23Cw0KFEcJHA.1676@TK2MSFTNGP03.phx.gbl...
> We are having a problem where all our user accounts are getting locked out
> at the same time. Any suggestions as to what to check?
>

[Tomasz Onyszko]

John Renkar wrote:
> We are having a problem where all our user accounts are getting locked out
> at the same time. Any suggestions as to what to check?

Strange - might be some error in software or some malicious action. You
can try to start with account lockout toolkit as a tool to diagnose this:
http://www.microsoft.com/downloads/d...displaylang=en


--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

[Marcin]

John,
how many users does this apply to? Do the lockouts take place at exactly the
same time? Does this happen in regular intervals? What are your password
policy settings?
Take a look at http://technet.microsoft.com/en-us/l.../cc773155.aspx and
http://technet.microsoft.com/en-us/l.../cc738772.aspx - these might help
you in search for clues...

hth
Marcin
"John Renkar" <jrenkar@sprynet.com> wrote in message
news:%23Cw0KFEcJHA.1676@TK2MSFTNGP03.phx.gbl...
> We are having a problem where all our user accounts are getting locked out
> at the same time. Any suggestions as to what to check?
>

[Babu VT]

Hi,
This is a malware attack for which even Symantec doesn't have
solution.Recently our client network was compromised in a similar
fashion.The account gets locked even during nights when ppl don't use
it.Currently we are using a script which will read all locked accounts and
unlock it.The script is run every 2mins as a scheduled task.
Symantec and other vendors have/are publishing definition files for the
virus, but do not yet have a removal tool for it. The symptom of the virus
is accounts being locked within the domain.

http://www.symantec.com/security_res...408-99&tabid=1

http://www.microsoft.com/security/po...%2fConficker.B

Microsoft have confirmed that other customers have experienced similar
spread today.

"John Renkar" <jrenkar@sprynet.com> wrote in message
news:%23Cw0KFEcJHA.1676@TK2MSFTNGP03.phx.gbl...
> We are having a problem where all our user accounts are getting locked out
> at the same time. Any suggestions as to what to check?
>

[Paul Bergson]

Sounds like an attack on your network. If you want to try and see what is
going on you can look at some account lockout toll sto assist.

To help try and track down where the account is getting locked out use
eventcombMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the created
text files for the user in question.

http://www.microsoft.com/downloads/d...displaylang=en


You can also set the debug flag on NetLogon to track authentication. "This
creates a text file on the PDC that can be examined to determine which
clients are generating the bad password attempts."
http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"John Renkar" <jrenkar@sprynet.com> wrote in message
news:%23Cw0KFEcJHA.1676@TK2MSFTNGP03.phx.gbl...
> We are having a problem where all our user accounts are getting locked out
> at the same time. Any suggestions as to what to check?
>