Many Many Millions Thanks.
will print out your suggestion and go through them.
Hope it works!
Regards and great appreciation. !
Merrick
>-----Original Message-----
>First off make sure that you have a properly configured
firewall protecting
>your network that by default blocks all access except
those inbound ports
>you allow -if any. You can go to a site like
http://scan.sygatetech.com/ to
>do a quick self scan for vulnerabilities in particualr
looking for access to
>netbios/fps ports 135/137/138/139/445.
>
>Be sure to not set your account lockout threshold too
low. MS recommends a
>minimum of ten as at times a single event can register
multiple bad logon
>attempts to the operating system, though I doubt that is
the problem here.
>You will also want to enable auditing of account logon
events in the Domain
>Controller Security Policy and logon events for failure
in the Domain
>Security Policy which will enable auditing on all of your
domain machines
>being sure to increase the size of the log to at least
10mb on the domain
>controllers. Then next time it happens start looking in
the security logs in
>Event Viewer of first domain controllers and then other
servers to see what
>accounts and what machines are causing the failed logons
and any other
>pertinent info in the event. You can use Event Comb -
free from MS to scan
>multiple computer security logs for specific events to
make the job easier.
>Don't rule out infected machines on your network that are
trying to access
>administrator accounts on other domain machines with a
short dictionary
>attack. Also certain network scanning software including
Microsoft Baseline
>Security Analyzer can cause account lockouts by testing
for weak/blank
>passwords.
>
>More advanced steps to tracking down the problem may
involve installing the
>alockout.dll on a computer to see what process is causing
lockouts by
>corellating events in the log it generates to failed
logon attempts in the
>security log, though read the warning about installing it
on servers. Also
>enabling netlogon logging and looking in the netlogon log
as described in
>the link below can track down account lockouts to a
particular computer by
>tracing backwords from the pdc fsmo domain controller as
the log will show
>failed logons in the [logon] column right after the date
and time. When you
>scan netlogon logs you want to look for the lines with
[logon] in them after
>the time. In a W2K domain with all W2K/XP Pro computers
those lines will
>almost certainly be related to logon failures as ntlm
will be tried after
>kerberos fails. The line below is an example of how you
can use the netlogon
>log to trace on the pdc fsmo domain controller where a
logon failure
>occured. My example shows that a user named King on
computer named Lap2-XP
>attempted to logon to a share on computer Desk1-XP and
the attempt failed as
>per "Returns 0xC0000064" . Good luck. --- Steve
>
>" 05/14 17:19:20 [LOGON] SamLogon: Transitive Network
logon of LAP2-XP\king
>from LAP2-XP (via DESK1-XP) Returns 0xC0000064 "
>
>http://www.microsoft.com/technet/prodtechnol/windowsserver
2003/technologies/security/bpactlck.mspx
>
>"Merrick"
wrote in
message
>news:defe01c43be9$b10e9c40$a601280a@phx.gbl...
>> Need Help!
>> I am running windows 2000 server and my users account
>> gets locked out a few times in a day. Even administrator
>> password is not spared. Usually the same group of users
>> are locked out and followed by the rest. I have tried to
>> figure out what went wrong but to no avail. I have
>> patched all my software and it seems not to resolve the
>> problems. I hope some can help how I can resolve this
>> problem or what kind of information i need to provide
>> inroder to get some help. Would greatly appreciate as I
>> am getting sleepless night over this! Please help !!
>> regards
>> Merrick
>
>
>.
>