This tells youi on what DC account is locked. But not much useful otherwise. EventCombMT from the Account Locktools is scanning for Event ID 529 in security log, which is what happens when someone has a bad password attempt. So far I've got 1 machine with 10k hits. And another one with an increasing number. Only one machine is still on network. But this looks like my culprit so far. ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Kenzig Kenzig.com Sent: Tuesday, January 04, 2005 12:57 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: OT: HELP! All domain accounts getting locked out! Not sure why but there is a resource kit utility called Lockout status that may help you out a bit. It is in the Windows 2003 resource kit but works on 2000. http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4 ae7-96ee-b18c4790cffd&displaylang=en JK Evan Mann <wrote: All 1000+ of my domain accounts are being locked out. It's like someone is trying to brute force the accounts directly, but I can't say if that's the case or not. This has been going on for about an hour. I'm not sure how I can track down from what machines these accounts are all being locked from. On my DC's I'm just seeing failed logins because of locked accounts, but not the lockout attempts logging.