NT 4.0 user accounts getting locked Suddenly

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hello there,

I am having similar problems to getting locks of user accounts in NT 4.

I checked event logs, says my username and it tries various password to login. Eventually account locks after 5 attempts.

In event viewer it shows username with domain being different from my domain and workstation.

It does this for couple of times and then stops. Happens again after a while.

I hope someone out there would be able to shed some light.

Cheers

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

is the domain selected from the drop down menu on he login box?

otherwise it will try log you into the local machine, which might not have your details


domain\username
machine\username

appear in the same format, so that might be worth checking, but judging by your description im guessing it might not be something that simple, yous seem to of tried the basic stuff

 

Well Its not only my account that logs, everyone on the domain gets this locks. We only have one domain. It sure looks like someone has got our SAM database and they got the usernames of accounts.

As previous post, accounts are tried many times and get locked

Something is definately not right!

 

It looks to me that someone is doing just that, trying all sorts of passwords for all the accounts.

If it was just yours, then maybe someone in the company is trying to log in as you. As it's happening to all the accounts it looks like someone is trying random passwords for the accounts.

Are there any accounts that haven't had this happen? Maybe go through all accounts and see if there is one that hasn't had a lockout.

 

Do you have auditing for successful/failed authentication attempts set up ?


<5 secs later> Dammit - this is NT4 Does it have that feature ?

 

oh sorry my bad
i didnt realise you meant somthing was locking the accounts
thought maybe you meant you had locked them because it wasnt letting you log in

indeed seems your SAM may be compromised
and yes i believe NT has auditing, worth turning it on i think

 

Thanks for replies,

ALL ACCOUNTS ARE LOCKED OUT! including mine and everybody including admin.

yes NT 4 does have audit for failed and success. you will be surprised in the list of failure you have domain name as some other domain and not our company domain and also workstation name is different none of pc in our LAN has that names!

SO this does sound spooky.

 

EVERY CLOUD HAS A SILVER LINING!

Guys have a look at this thread. It has got so many things in there and I am gonna check it tomm.

http://www.tek-tips.com/viewthread.cfm?qid=418282


If you find anything else let me know

Vi

 

Guess what!

I followed on simple thing! got adaware and checked my own PC managed to get backdoor.hackdefender virus alerted by Nortons and removed it.

Taken one step in right direction. No lockups weere happening.

Lets c what happens next week!

 

Good work Vindows and thanks for letting us know how you fixed it.