First thing I would do is immediately change all passwords that have admin status in case someone has gained access this way and is programmatically disabling logins. If you have a network analyzer, you might be able to tell if one particular workstation or connection is transmitting a large amount of traffic (if it is brute force). Also check your GPO's for any newly added scripts. Regards, Paul DeHaan >>> emann@xxxxxxxxxxxxxxxxxxxxx 01/04/05 12:38PM >>> All 1000+ of my domain accounts are being locked out. It's like someone is trying to brute force the accounts directly, but I can't say if that's the case or not. This has been going on for about an hour. I'm not sure how I can track down from what machines these accounts are all being locked from. On my DC's I'm just seeing failed logins because of locked accounts, but not the lockout attempts logging. ******************************************************** This Weeks Sponsor SeamlessPlanet.com Domain Names Register your .com domain name for as low as $7.85 One of the lowest prices on the web! Part of The Kenzig Group. http://www.seamlessplanet.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm ThinWiki community - Awesome SBC Search Capabilities! http://www.thinwiki.com *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm