Many Domain Accounts have been locked out at the same time



Robert
07-09-2005, 11:49 PM
Dear all,

It's really a urgent problem.
Everyday, many domain accounts have been locked out for unknown reason.
There's almost 500 users in the domain. all the accounts were named as
*X***, e.g. my account is ax5uy, the other is bx8tt, cxtjs, etc.
For now, just all the accounts like BX*** were locked out.
I don't know why, and i've execute full scan on server, no virus found.
What else should i do?
Thanks for your kindly help.

--
Nothing is easy,
Everything is possible.

Catamount
07-09-2005, 11:49 PM
WHat type of network are you running? Win2k3 Win2k NT Novell
How are your clients set up?
What is the password policies you use?
What have you changed since it worked before that?




Robert wrote:
> Dear all,
>
> It's really a urgent problem.
> Everyday, many domain accounts have been locked out for unknown reason.
> There's almost 500 users in the domain. all the accounts were named as
> *X***, e.g. my account is ax5uy, the other is bx8tt, cxtjs, etc.
> For now, just all the accounts like BX*** were locked out.
> I don't know why, and i've execute full scan on server, no virus found.
> What else should i do?
> Thanks for your kindly help.
>

David H. Lipman
07-09-2005, 11:49 PM
From: "Robert" <R_L99@hotmail.com>

| Dear all,
|
| It's really a urgent problem.
| Everyday, many domain accounts have been locked out for unknown reason.
| There's almost 500 users in the domain. all the accounts were named as
| *X***, e.g. my account is ax5uy, the other is bx8tt, cxtjs, etc.
| For now, just all the accounts like BX*** were locked out.
| I don't know why, and i've execute full scan on server, no virus found.
| What else should i do?
| Thanks for your kindly help.
|
| --
| Nothing is easy,
| Everything is possible.

You need to look at the Event Log and to examine the netok for Internet worm activity.
Perform packet analysis at the server and possibly isolate LANs in search of an infected
platform that is infected and searching for unsecured shares. While the worm searches for
unsecured shares it could be loking out accounts. This could be anthything from the Bugbear
to a SDBot worm. You may want to disallow notebooks as they may be the culprit and perform
"On Demand" scan on them until you know they are clean then allow them on the LAN once they
are known to be clean.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


Many Domain Accounts have been locked out at the same time