• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

puzzling windows account lock-out

S

seepy83

Platinum Member
This morning, one of our users windows accounts was locked out, so I checked the security logs and I saw his Event ID 539's(Logon failure. The account was locked out at the time the logon attempt was made.), but there was no Event ID 529 (Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.) prior to his account being locked out. In face, there were absolutley no types of logon failures prior to his account showing as locked out. The other 2 IT guys here agreed to just unlock the account, even though we werent sure why it was locked out to begin with.

So, this afternoon at about 3:00pm the user tried to log on again, and his account is locked out again. the user says they did not attempt to log on with a bad password, and the server event logs dont show any signs that anyone was trying to log on with that account.

anyone have some suggestions on how to find out what's going on here?

edit: p.s. this is a windows 2003 server
 
Is the user logged on anywhere else (terminal server, another machine, etc)? Are there any services running as that user? etc, etc

Account lockouts are a waste of time IMO. Most people set them to a ridiculously low value, and it becomes a really easy DoS attack. If you have an IDS on the network, you'll be able to tell very easily is someone is banging on passwords, without having to subject your users and admins to account lockouts.
 
no, the user is not logged on anywhere else and there are no services running as that username.

Account Lockouts are required as a part of our HIPAA policy. They have to occur after 3 false passwords...it's just something that is forced on us.

by the way, the user was locked out again this morning. anyone have any other suggestions?

 
Originally posted by: seepy83
haha...i suppose it was worth asking. yes it's turned on - i can see other user's logon failures
Click to expand...

Ok, next dumb question? Did you just look for event 529 or all events 529-537?

 
Account Lockouts are required as a part of our HIPAA policy. They have to occur after 3 false passwords...it's just something that is forced on us
Click to expand...
Yeah I know, doesn't mean it's a good policy 🙂 It mainly exists to keep auditors and consultants employed. The same people that say to disable things like the DFS service on domain controllers, because they claim it is not a required service.

You might want to try some of the account lockout tools, if you haven't already: http://technet2.microsoft.com/WindowsSe...0d-b5bc-cb14c7ff69cd1033.mspx?mfr=true You can usually save a lot of time instead of digging through logs on n number of domain controllers.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top