How can I find the source of Windows 7 Domain Users sending bad password attempts to 2008r2 server?
Solution 1
I'm not sure whether it will work with Server 2008, but Microsoft have some tools for Server 2003 to track this sort of behaviour.
They are called Account Lockout Tools and you can download them from http://www.microsoft.com/en-us/download/details.aspx?id=18465 or read up on them at http://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx
One of the tools will scan the eventlog on your domain controller looking for audit failures and will report the name of the device which initiates the request.
Solution 2
- Check the event log on an effected user's machine, you might get lucky and find failed attempts there.
- Get a user to volunteer, and run Process Monitor on their machine until the problem repro's. http://technet.microsoft.com/en-us/sysinternals/bb896645 (Turn on logging to disk, get the file from them, etc.)
- You might interview a few users and see if there's some program that they all run, maybe one that remembers their password or something. Did they all change their password recently?
- It may be necessary to resort to running Netmon (there might be newer versions out there, don't know) on one of their machines and examining the network traffic to determine which process is sending the logon attempt.
Solution 3
These article example how to track account lockout.
Hope these help.
http://teachnovice.com/527/account-lockout-on-windows-2003-2008-dc
http://teachnovice.com/894/user-account-lockout-everyday-windows-7-windows-2008-r2
Related videos on Youtube
03 : 09
02 : 27
07 : 02
05 : 46
02 : 25
Comments
-
Matt over 1 year
I know WHICH users are constantly getting locked out because of bad password attempts, and they're only coming from their machine (using the old out of date ms account lockout tool and others to find this out) I don't know what the source of these on the computers in question are. It happens even when their computer is just sitting there doing nothing. (they may have programs open, but there's no remote desktop to them or live person sitting at the workstation)
It seems to send one to the DC about every 15 to 30 minutes, but varies by user. I reset the lockout number to 20 so that they wouldn't be locked out all the time, but I'd like to find a solution for real.
No scheduled tasks are running at all, they unmapped all drives and remapped them. Even when those were in place, it seems odd that it would cause that many attempts in one hour anyway.
All machines are Windows 7 with latest updates and ran virus, malware, spyware scanners with nothing found.
We have a hosted exchange account with Rackspace, so not connected to the DC. (unless I'm missing something here)
-
Mokubai over 11 yearsDefinitely not an office prankster either? -
Ramhound over 11 yearsI would wipe each machine one by one. This is the ONLY way to make sure every machine on the network is clean. An event better solution would be to wipe every machine at once. If it happens again after a wipe then the server is compromised.
-
sgmoore over 11 years> it seems odd that it would cause that many attempts in one hour. Could be a mobile phone with an old password checking email every 15 minutes. Do the bad password attempts happen when the user's computer is switched off?
-
-
Matt over 11 yearsWe confirmed that when the user changes their password on the domain to the same as the one on hosted exchange, then the bad password attempts stop happening.
