1) Make sure you have auditing turned on in policy for the DC
2) Look for 675 events associated with the account.
Regardless of what's causing the lockouts you should be able to track down the
system responsible from the failed Kerberos events.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Miguel Sarri
Sent: Thursday, January 18, 2007 10:56 AM
To: gary@aspectcapital.com
Cc: security-basics@securityfocus.com
Subject: Re: Account lockout - analysis help
Take a look at services, specifically you could search for services
running as an user account (with expired password?).
I had the same problem and it was a service that was running with an old
password.
Also you could take a look at the computer account in your DC, and look
the logs of logon.
Did you check it with another user in that box?
Did you check that user in another box?
Regards.
gary@aspectcapital.com escribió:
Hi,
I Have a user who keeps getting his account locked out, but I cannot work out
why. I use the alockout tools, to get me
the following
Wed Jan 17 08:40:00 2007, PID: 1872, Thread: 2284, Image xcopy,ALOCKOUT.DLL
- DLL_PROCESS_ATTACH
Wed Jan 17 08:40:12 2007, PID: 1872, Thread: 2284, Image xcopy,ALOCKOUT.DLL
- dll_process_detatch
Wed Jan 17 09:50:29 2007, PID: 3216, Thread: 2920, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jan 17 09:50:29 2007, PID: 3216, Thread: 2920, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch
Wed Jan 17 09:52:19 2007, PID: 2648, Thread: 3160, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jan 17 09:52:20 2007, PID: 2648, Thread: 3160, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch
Wed Jan 17 09:53:32 2007, PID: 2040, Thread: 1388, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jan 17 09:53:33 2007, PID: 2040, Thread: 1388, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch
Wed Jan 17 09:53:57 2007, PID: 2264, Thread: 2060, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jan 17 09:53:58 2007, PID: 2264, Thread: 2060, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch
Wed Jan 17 09:54:15 2007, PID: 656, Thread: 3368, Image
taskmgr.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jan 17 09:54:41 2007, PID: 656, Thread: 3368, Image
taskmgr.exe,ALOCKOUT.DLL - dll_process_detatch.
Looking on my dc's I hae the following entries
Service Ticket Request Failed:
User Name: shallensleben
User Domain: ASPECTCAPITAL.COM
Service Name: exchangeMDB/VEGA2
Ticket Options: 0x40800000
Failure Code: 0x12
Client Address: 172.16.x.x
Authentication Ticket Request Failed:
User Name: shallensleben
Supplied Realm Name: ASPECTCAPITAL.COM
Service Name: krbtgt/ASPECTCAPITAL.COM
Ticket Options: 0x40810010
Failure Code: 0x12
Client Address: 172.16.x.x
I have also checked for the obvious mapped netowrk drives, runas, saving
credentials etc. all of which are absent.
This is the only user in the domain that gets locked out. He does switch
between out wireless and network environment, which I believe should not
contribute to the problem?
Does anyone have any ideas?
Thanks in advance,
**************************************************************************
This electronic message may contain confidential or privileged information
and is intended for the individual or entity named above. If you are
not the intended recipient, be aware that any disclosure, copying,
distribution or use of the contents of this information is prohibited.
If you have received this electronic transmission in error, please notify
the sender immediately by using the e-mail address or by telephone
(704-633-8250).
**************************************************************************
