Active Directory Account lockout

Dear All,

We are facing the issue with Account lockout in the infrastructure. Many
active directory user accounts in the infrastructure are getting locked
without any invalid attempt. Users are not logged into the PC but account is
locked out. It is happening for the users from particular OU and some users
from different OU as well.

We have tried using alockout.dll but got nothing from client machine. We
tried some more tolls like netwrix but nothing is helping.

This problem started suddenly.

Any help will be highly appreciated.

Did you enable auditing on the DCs? Can you enable auditing and look at
each DC's security event log to see where and when the lockout happens?

You don't look at the local event log you have to look at the domain
controllers event log

Is the account logged into more than one machine or is it running a service
on the same machine? A user could have mapped drives to a resource from one
machine, on a different machine he changes his password and then the first
machine attempts to stay mapped to a drive and the password is no longer
correct and eventually locks the user out. Or after a password is changed a
service is running that attempts to authenticate with an old password.

To help try and track down where the account is getting locked out use
eventcombMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the created
text files for the user in question.

http://www.microsoft.com/downloads/d...displaylang=en

You can also set the debug flag on NetLogon to track authentication. "This
creates a text file on the PDC that can be examined to determine which
clients are generating the bad password attempts."
http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626

This is a malware attack for which even Symantec doesn't have
solution.Recently our client network was compromised in a similar
fashion.The account gets locked even during nights when ppl don't use
it.Currently we are using a script which will read all locked accounts and
unlock it.The script is run every 2mins as a scheduled task.
Symantec and other vendors have/are publishing definition files for the
virus, but do not yet have a removal tool for it. The symptom of the virus
is accounts being locked within the domain.

http://www.symantec.com/security_res...408-99&tabid=1

http://www.microsoft.com/security/po...%2fConficker.B

Microsoft have confirmed that other customers have experienced similar
spread today.

Thanks a lot for the reply. We have got the Malware attack in our network
for which we have taken necessary steps and the problem is resolved. Your
support is highly appreciated.

Eset (antivirus) has updated defination file for the same virus.

In such senerio you need to check if any machine without AV in your network
as such virus make spreading point AV less machines. so you need to have all
network devices runing with AV and updated patter file.

Watch event ID 675 on DC and check from which machine its firing, same
machine is infected with Password Guessing virus.

how it works, one machine get infected, virus tries to spread in all
machines but seats in non AV machine as AV machine alerts for virus
notification and get cleaned. than virus tries from the non av machine to
contact AD adn than start Password Guessing which start account lock issue.

[BobbyS4]

You mentioned Netwrix – we use this tool, and it’s been pretty helpful. Doesn’t work all the time though, but in several situations this worked really well. As for you symptomps it looks pretty much like Conficker worm attack and I suggest to read more about conficker/downadup and apply patches and tools suggested by others