Accounts being locked out

June 25, 2009 at 14:25:07
Specs: Windows2000 Server
Hi, the company I work for is running a 2000 server, all the client workstations have Windows XP. For some odd reason the server keeps locking out our user accounts. I put a log on the accounts, and i dont find anything strange. Can you please help?

See More: Accounts being locked out

Report •

June 25, 2009 at 14:46:03
"Put a log on the accounts"

Do you mean you enabled auditing? are you auditing logon failures and successes both? You should.

There should be an event in the security log saying the account was locked out and why.

Make sure no user accounts are being used for any service. Review your services properties.

Report •

June 25, 2009 at 14:56:13
yes, i am auditing both successfull and failed logins. In the security log, for one of the accounts there is at least 3 logs made for that user in the same second. Example, at 2:39:40 there is 2 different logs for my user trying to log in but the account is locked out. Do you think this can be a virus trying to access the accounts?

Report •

June 26, 2009 at 08:26:42
wouldn't be a virus but a hacker who has control over a pc/pcs and is now trying to hack the server.

I would set a new password you assign on all user accounts and then configure to change at next logon. Tell everyone the password you assigned so they can get to the change password screen. Do not send this password via email to them.

Can you post one of the logon errors?

Report •

Related Solutions

June 26, 2009 at 09:45:38
Time 9:25
Event ID 539

Logon Failure:
Reason: Account is Locked Our
User Name: Dawn
logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: Vanessa

This is an example of one of the logon errors

Report •

June 26, 2009 at 09:52:33
but even if i changed all the passwords, wouldnt the accounts still get locked out if theyre trying to access the server?

Report •

June 26, 2009 at 15:56:45
Can you find a logon failure before the lockout error? It should contain something like this:

Logon Failure:
Reason: Unknown user name or bad password
User Name: user name

The recommendation of changing user passwords is a standard first step if you suspect your network is being hacked. You should also change the administrator password [noting any services you may be running under the admin account - you would need to change the password in those services so they don't fail due to passwd mismatch].

How are you connected to the internet?
Everyone including the server have access?
Are there any logon failures after work hours?
Or are they all during work hours?

Report •

June 29, 2009 at 09:14:52
ok, I came into work this morning and looked at the security log, it goes untill 8am this morning. the first log says:
logon failure:
reason : unkown user name or bad password
Username: ASPNET

I find this to be a little awkward, what is ASPNET? and DVD System? As of right now, yes the server does have access. I had turned it off for awhile, then turned it back on because my boss uses a MAC and they use a remote desktop to access a specific program that is on the server.

As for access to the internet, we are a very small company and everyone has access to the internet.

Report •

Ask Question