General discussion


User account lockout issue

By MCSE75 ·
I'm having a serious problem with user accounts being locked out faster than I can unlock them within a Windows 2003 Active Directory Domain.

The login attempts are coming from machines and ip addresses that are not part of my network and I have no idea how they are attempting to log in because the network is private and behind a firewall that is showing no traffic from the IP address listed in the event logs

This is copied directy from the event log on the Domain controller.

The user account is a valid Domain account for one of my users, but the workstation name is not, nor is the IP address.

This occurs 2 or 3 times per day where a foreign system attempts to log in to almost all of the domain accounts repeatedly with an incorrect password. This action locks them out.

I have searched and scanned with rootkit discovery tools, antivirus and trojan dectection tools and so far I have come up empty.

Any help is greatly appreciated

Logon Failure:
Reason: Unknown user name or bad password
User Name: tsrigley
Domain: 78GWAC9
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: 78GWAC9
Caller User Name: -
Caller Domain: -
Caller Logon I -
Caller Process I -
Transited Services: -
Source Network Address:
Source Port: 0

For more information, see Help and Support Center at

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by ctrservices In reply to User account lockout issu ...

Why not lock the IP address out of your firewall? And while you're at it, you could contact the system administrator and ask him/her to find out and stop whoever is doing this (, 1-877-866-6515).

Collapse -

by MCSE75 In reply to

I've tried doing that, but the IP constantly changes, its a different IP and location each time it happens.
That's why I believe its some type of DOS or trojan.

The part I don't understand is that the server it is authenticating to has no internet facing services, or even a routable IP address. This outside system seems to be directly authenticating to a server with a 192.168.XXX.XXX ip address and it has no access to the internet, you cannot even view the internet from this machine.

Collapse -

by NZ_Justice In reply to User account lockout issu ...

you could try this. Reserve the IP address of all your users machines in DHCP that way they will always have the same IP address when the log on.

Collapse -

by HAL 9000 Moderator In reply to User account lockout issu ...

This wouldn't be through a wireless hub would it?

If that is the case your system is under attack and eventually who ever is responsible will manage to break in and do what ever it is that they are wanting to do.

I would at the very least attempt to make it harder for them by changing to WEP protocols and locking the system down as hard as possible while still allowing the valid end users access.

Just one other thing here if you do not have any known wireless access points go through your building with a Wireless scanner looking for one or more I've found several Wireless hubs mounted in suspended ceilings by workers who thought they knew better than the Sys Admin and wanted free Internet access. You should be able to pick up a cheap Wireless scanner for about $20 US around the place they are small fit on a key ring and only have 4 LEDs that will turn solid when their is a wireless access point near by they are also directional so you should be able to track down any rouge wireless hubs easily.

The ones that I use are called WIFI Seeker try


Collapse -

by zaferus In reply to User account lockout issu ...

Do you have any offices or network ports that this person could be accessing?

Maybe log into your switch and turn off any ports not in use, or even better have a close watch on these ports or use a monitoring program to E-mail you if one of them "lights up". Then get security down there right away.

It looks like you have a very serious security problem on your hands, you may want to contact the FBI if you are in the USA.

Related Discussions

Related Forums