1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

NT 4.0 user accounts getting locked Suddenly

Discussion in 'Software' started by Vindows, Nov 11, 2004.

  1. Vindows

    Vindows New Member

    9
    0
    1
    Hello there,

    I am having similar problems to getting locks of user accounts in NT 4.

    I checked event logs, says my username and it tries various password to login. Eventually account locks after 5 attempts.

    In event viewer it shows username with domain being different from my domain and workstation.

    It does this for couple of times and then stops. Happens again after a while. :x

    I hope someone out there would be able to shed some light.

    Cheers

    :eek:
     
  2. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    is the domain selected from the drop down menu on he login box?

    otherwise it will try log you into the local machine, which might not have your details


    domain\username
    machine\username

    appear in the same format, so that might be worth checking, but judging by your description im guessing it might not be something that simple, yous seem to of tried the basic stuff :)
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  3. Vindows

    Vindows New Member

    9
    0
    1
    Well Its not only my account that logs, everyone on the domain gets this locks. We only have one domain. It sure looks like someone has got our SAM database and they got the usernames of accounts.

    As previous post, accounts are tried many times and get locked 8) :x

    Something is definately not right!
     
  4. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    It looks to me that someone is doing just that, trying all sorts of passwords for all the accounts.

    If it was just yours, then maybe someone in the company is trying to log in as you. As it's happening to all the accounts it looks like someone is trying random passwords for the accounts.

    Are there any accounts that haven't had this happen? Maybe go through all accounts and see if there is one that hasn't had a lockout.
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  5. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    Do you have auditing for successful/failed authentication attempts set up ?


    <5 secs later> Dammit - this is NT4 :oops: Does it have that feature ?
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  6. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    oh sorry my bad
    i didnt realise you meant somthing was locking the accounts
    thought maybe you meant you had locked them because it wasnt letting you log in

    indeed seems your SAM may be compromised
    and yes i believe NT has auditing, worth turning it on i think
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  7. Vindows

    Vindows New Member

    9
    0
    1
    Thanks for replies,

    ALL ACCOUNTS ARE LOCKED OUT! including mine and everybody including admin.

    yes NT 4 does have audit for failed and success. you will be surprised in the list of failure you have domain name as some other domain and not our company domain and also workstation name is different none of pc in our LAN has that names!

    SO this does sound spooky. :p
     
  8. Vindows

    Vindows New Member

    9
    0
    1
  9. Vindows

    Vindows New Member

    9
    0
    1
    Guess what!

    I followed on simple thing! got adaware and checked my own PC managed to get backdoor.hackdefender virus alerted by Nortons and removed it.

    Taken one step in right direction. No lockups weere happening.

    Lets c what happens next week! :alc
     
  10. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Good work Vindows and thanks for letting us know how you fixed it.:thumbleft
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685

Share This Page

Loading...