[THIN] Re: OT: HELP! All domain accounts getting locked out!
- From: "Evan Mann" <emann@xxxxxxxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 4 Jan 2005 13:37:40 -0500
This tells youi on what DC account is locked. But not much useful
otherwise.
EventCombMT from the Account Locktools is scanning for Event ID 529 in
security log, which is what happens when someone has a bad password
attempt. So far I've got 1 machine with 10k hits. And another one with
an increasing number. Only one machine is still on network. But this
looks like my culprit so far.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Kenzig Kenzig.com
Sent: Tuesday, January 04, 2005 12:57 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT: HELP! All domain accounts getting locked out!
Not sure why but there is a resource kit utility called Lockout status
that may help you out a bit. It is in the Windows 2003 resource kit but
works on 2000.
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4
ae7-96ee-b18c4790cffd&displaylang=en
JK
Evan Mann <wrote:
All 1000+ of my domain accounts are being locked out. It's like
someone is trying to brute force the accounts directly, but I can't say
if that's the case or not. This has been going on for about an hour.
I'm not sure how I can track down from what machines these accounts are
all being locked from. On my DC's I'm just seeing failed logins because
of locked accounts, but not the lockout attempts logging.
Other related posts:
