Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi, the company I work for is running a 2000 server, all the client workstations have Windows XP. For some odd reason the server keeps locking out our user accounts. I put a log on the accounts, and i dont find anything strange. Can you please help?
"Put a log on the accounts"
Do you mean you enabled auditing? are you auditing logon failures and successes both? You should.
There should be an event in the security log saying the account was locked out and why.
Make sure no user accounts are being used for any service. Review your services properties.
0 
yes, i am auditing both successfull and failed logins. In the security log, for one of the accounts there is at least 3 logs made for that user in the same second. Example, at 2:39:40 there is 2 different logs for my user trying to log in but the account is locked out. Do you think this can be a virus trying to access the accounts?
0
wouldn't be a virus but a hacker who has control over a pc/pcs and is now trying to hack the server.
I would set a new password you assign on all user accounts and then configure to change at next logon. Tell everyone the password you assigned so they can get to the change password screen. Do not send this password via email to them.
Can you post one of the logon errors?
0
Time 9:25
Event ID 539Description:
Logon Failure:
Reason: Account is Locked Our
User Name: Dawn
Domain: xxxxx.com
logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VanessaThis is an example of one of the logon errors
0
but even if i changed all the passwords, wouldnt the accounts still get locked out if theyre trying to access the server?
0
Can you find a logon failure before the lockout error? It should contain something like this:
Logon Failure:
Reason: Unknown user name or bad password
User Name: user nameThe recommendation of changing user passwords is a standard first step if you suspect your network is being hacked. You should also change the administrator password [noting any services you may be running under the admin account - you would need to change the password in those services so they don't fail due to passwd mismatch].
How are you connected to the internet?
Everyone including the server have access?
Are there any logon failures after work hours?
Or are they all during work hours?
0
ok, I came into work this morning and looked at the security log, it goes untill 8am this morning. the first log says:
logon failure:
reason : unkown user name or bad password
Username: ASPNET
Domain: DVDSYSTEMI find this to be a little awkward, what is ASPNET? and DVD System? As of right now, yes the server does have access. I had turned it off for awhile, then turned it back on because my boss uses a MAC and they use a remote desktop to access a specific program that is on the server.
As for access to the internet, we are a very small company and everyone has access to the internet.
0  |
 |
 |
| Login or Register to Reply | |
| Login | Register |
| Ads by Google |
