none
Windows Account Keeps Locking Out RRS feed

  • Question

  • I have a user account (windows 2003 native AD) - my account keeps locking out.  I have used Account Lockout and Management Tools to find out that there is a machine which is causing the account to lock (see below)
    Event Type:       Success Audit
    Event Source:    Security
    Event Category: Account Management
    Event ID:           644
    Date:                05/06/2011
    Time:                10:30:30
    User:                NT AUTHORITY\SYSTEM
    Computer:         WIN3KLMDC01
    Description:
    User Account Locked Out:
                Target Account Name:    steel
                Target Account ID:         swnet\steel
                Caller Machine Name:    11111111
                Caller User Name:          WIN3KLMDC01$
                Caller Domain:   SWNET
                Caller Logon ID: (0x0,0x3E7)

    In each case the caller machine name is 11111111 which resolves to 0.7.119.58.
    11111111 is inaccessible via RDP.  When ping'd there is no reply & nobody seems to know what this device is used for.   I have nbtstat -an against 11111111 & got nothing back so no mac address to work with.  I therefore cannot get onto this server to figure out if a service / scheduled task / drive mapping on this device has been configured with old password credentials.  

    Has anyone see this before?  Any suggestions would be appreciated.  Thanks.
    Wednesday, July 6, 2011 9:36 AM

All replies

  • My guess is, it may be caused by expiration. Attempt to RDP would not show warning, that you need to change password. Disable this user, change expiration to without limits and enable the user. 

    Regards

    Milos

    • Proposed as answer by Robert Capel Wednesday, November 14, 2012 9:46 PM
    Wednesday, July 6, 2011 9:54 AM
  • Thanks for the feedback.  This account was prompted to have the password reset last week at which point it was promptly reset.  Only after this did the lockouts occur.  Our domain security policy will not allow to have any exceptions on expiration unless service accounts etc. 
    Wednesday, July 6, 2011 2:24 PM
  • Using numerical digits to create name of computer is not a good idea. If you ping such a name, computer takes it as IP address. It resolves to  nonsense. Pinging and resolving are useless tests.

    My suggestion is: Change the name of computer

    OR 

    give more information on the infrastructure to be able to find where the name has been created. 

    OTHERWISE

    use network monitor and follow packets.

    Wednesday, July 6, 2011 3:44 PM
  • I dont know your environment, but , if you can change user ID this issue will be finish. but better to find the root couse. Since try to find this machine , then check virus guad etc...... brcouse kido(net worm) virus behavior also same

    http://sbdissanayake.blogspot.com/2011/04/how-to-remove-net-wormwin32kido.html


    Microsoft TechNet Forum Bandara
    Wednesday, July 6, 2011 4:09 PM
  • Thanks Milos - but I'd change the machine name if I could connect to it - it's not part of our AD.  I havn't heard of it before - especially a computer on such a strange IP address.  The problem is that I can't get any more info on this rogue machine & can't connect so I can't do anything to it yet.
    Wednesday, July 6, 2011 5:02 PM
  • Hi,

     

    According to the following link, this issue can be caused by an attack pattern. You may refer to the following link for how to deal with it.

     

    http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=644&EvtSrc=Security&LCID=1033

     

    Regards, 

     

    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
     tnmff@microsoft.com . 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, July 7, 2011 5:45 AM
    Moderator
  • WIN3KLMDC01 is the targetted domain controller? Have you second DC? If you have the second DC, in this case you can connect to the second DC via RDP and change the lockout policy on the WIN3KLMDC01( Yes, if you have specified different port, instead of 3389) . Or you can block RDP on the WIN3KLMDC01 from second DC and change the FW settings for specified IP to be allowed  to access the WIN3KLMDC01 via RDP and enable RDP. If the rogue computer is on the local network, then you have MAC addresses of computers and if you have a list of MAC addresses you can identified the rogue computer. Or you can filter this MAC address on the switch. If the rogue computer is outside local network, then you should change the settings on FW (Allow RDP for specified IP address of your computer.)

    ... otherwise you should do the forensics locally.

    Regards

    Milos



    Thursday, July 7, 2011 5:06 PM
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards,

     

    Arthur Li

    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, July 14, 2011 2:15 AM
    Moderator
  • Hi Arthur_Li, 

    Thanks for your input, but I'm afraid what you have told me doesn't really help our situation.  We were already aware that the responsible device which was causing the lockouts had the unusual Caller Machine Name.  Microsoft's lockout tool or event comber only tell me that this is the device causing the issue, but not by which means ie scheduled task, drive mapping, etc.  I appreciate the link you provided, but it isn't exactly specific enough for me.  Are there any further MS tools & I can use to prove that this is an attacker?

    Thanks

    Tuesday, July 26, 2011 10:30 PM
  • I am not sure I am reading the post right, but you have a machine called 111111 that is logging into the network which you don't control?  I would find that box physically in your company, and unplug it and bring it into the IT area.  There could be a service or program that was using that persons credintials and since they changed the password, the service is retrying and relocking the account.  If you can't locate the physical machine.  I would turn off your wireless network asap. 

    Just going by what I read...

    On the surface of what you have provided, sounds like someone is in the parking lot trying to piggyback into your network, please correct me if I am wrong on what I have read so far.

     


    -- :P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.
    Wednesday, July 27, 2011 12:01 AM
  • Thanks Jason, if I could find the machine (111111) that is causing this issue the first thing I would have done is disconnect it as it has been causing us a severe headache.  The major problem we are having is actually trying to locate it in the first place.  We have asked our network guys to help identify where it is, but no joy. 

    I have been revisiting lockoutstatus.exe & eventcombMT.exe to identify where the first DC that is locking out the account in the first place, then from there checking against network monitor to check the corresponding activity to any potential rogue machine.  This is like looking for a needle in a haystack.

    Wednesday, July 27, 2011 3:59 PM
  • I would start looking around the persons area where the owner of the acocunt getting locked is, if someone is using this in a evil way, they must have some familiarity of the person or his machine.  I would also have the networking team trace back how they are getting in, looking at what swtich, and then what area that switch serves.
    -- :P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.
    Wednesday, July 27, 2011 6:12 PM
  • I have realized, when pinging in a bit different way, there is no misleading translation: ping "1111111"  (Unfortunately, the ping is effective, if the target machine has ping response enabled.) IMHO the only way to find rogue machine is by blocking traffic on the active network devices, namely switches and routers. It is a very tedious task.

     

    Tuesday, August 2, 2011 11:22 AM