Domain controller issue

[sycogrim08]

Hey PP

This morning I came into work and I found out that every user in my office had their windows accounts locked... now the first thing i thought was that it's a virus I have tried 2 different Anti-Virus programs and updated Server 2003 but nothing is being found... I have tried various websites but I just do not know what is causing this...

Please may someone help me this is urgent and I just thought i would ask u guys as my last resort.

Thanks

 

[sycogrim08]

Is there no one out there who knows how to possibly resolve this issue????:erm:

 

[ramar]

Have you checked that the accounts are not locked on the server? First thing to check.. Otherwise need a bit more info.

 

[The_Unbeliever]

somebody remoting in and locking accounts just for the fun of it?

what is in the event log?

 

[sycogrim08]

Have you checked that the accounts are not locked on the server? First thing to check.. Otherwise need a bit more info.

As I said the accounts lock up after around 5min if left idling... this has been going on the whole morning... I am the Admin so I have been busy with it the whole day and havnt found a solution.

somebody remoting in and locking accounts just for the fun of it?

what is in the event log?

Hey Libs I have never had this problem before on a domain controller so tbh I'm not sure what i should be looking for exactly in Event viewer.... people are logging in and out of the domain on a constant basis during the day so its not easy to see where the source is of the possible virus.... :wtf:

 

[Amida]

If you are running 2 DCs then take one offline to see if it makes a difference.

 

[Amida]

Otherwise create a new account and see if the same happens to a new account.

It sounds like something keeps trying to log into the accounts with the wrong password.

 

[sycogrim08]

If you are running 2 DCs then take one offline to see if it makes a difference.

Otherwise create a new account and see if the same happens to a new account.

It sounds like something keeps trying to log into the accounts with the wrong password.

Only running one DC and yeh its definitely something trying to log in with the wrong passwords.... im trying to track down the source as i have been doing the whole day but not getting anywhere...

 

[dabouncer]

Download NetWrix Account Lockout Examiner (trial), it will show/tell you where/why an account has been locked.
http://www.netwrix.com/account_lockout_examiner.html

MS also has a basic tool called Lockout Staus.

You may be infected with Conficker or a machine on your network.
Install MS update KB958644 on all machines.
Download and run the Symantec Conficker removal tool.
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

 

[Amida]

Only running one DC and yeh its definitely something trying to log in with the wrong passwords.... im trying to track down the source as i have been doing the whole day but not getting anywhere...

Unplug the server from the network to see if it's on the server or one of your PCs.

 

[sycogrim08]

Download NetWrix Account Lockout Examiner (trial), it will show/tell you where/why an account has been locked.
http://www.netwrix.com/account_lockout_examiner.html

MS also has a basic tool called Lockout Staus.

You may be infected with Conficker or a machine on your network.
Install MS update KB958644 on all machines.
Download and run the Symantec Conficker removal tool.
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

Dude I owe u big time That Account Lockout Examiner worked like a charm I picked up 2 sources that were attacking the accounts and from which machines... Thanks alot

 

[ghalied]

Had this issue last year, it was the conficker virus that was attacking the AD database.

 

[The_Unbeliever]

Had this issue last year, it was the conficker virus that was attacking the AD database.

pesky piece of kuk.