Security Basics mailing list archives
Re : Account lockout - analysis help
From: abdelhakim aliane <hakim_al () yahoo fr>
Date: Thu, 18 Jan 2007 09:16:58 +0000 (GMT)
Hi, Sorry there's too many details, I usually don't use the tools like this. My approch : Tools : 1st) LockoutStatus.exe will search and indicate the guilty account and match to the domain controller responsible of locking the account. 2nd) With eventcombMT.exe (Menu>Searches>Built In Searches>Account Lockouts), select the indicated DC in 1st step and run the search, you will get a security log (DC-Name-Security_LOG.txt) discribing the real problem. You must analyse all the fileds (the raw of the locked account in the log) Example : Service Name, Pre-Auth, Failure Code, Client Address and Callers, etc. Good Luck. Aliane ----- Message d'origine ---- De : "gary () aspectcapital com" <gary () aspectcapital com> À : security-basics () securityfocus com Envoyé le : Mercredi, 17 Janvier 2007, 12h37mn 21s Objet : Account lockout - analysis help Hi, I Have a user who keeps getting his account locked out, but I cannot work out why. I use the alockout tools, to get me the following Wed Jan 17 08:40:00 2007, PID: 1872, Thread: 2284, Image xcopy,ALOCKOUT.DLL - DLL_PROCESS_ATTACH Wed Jan 17 08:40:12 2007, PID: 1872, Thread: 2284, Image xcopy,ALOCKOUT.DLL - dll_process_detatch Wed Jan 17 09:50:29 2007, PID: 3216, Thread: 2920, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH Wed Jan 17 09:50:29 2007, PID: 3216, Thread: 2920, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch Wed Jan 17 09:52:19 2007, PID: 2648, Thread: 3160, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH Wed Jan 17 09:52:20 2007, PID: 2648, Thread: 3160, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch Wed Jan 17 09:53:32 2007, PID: 2040, Thread: 1388, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH Wed Jan 17 09:53:33 2007, PID: 2040, Thread: 1388, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch Wed Jan 17 09:53:57 2007, PID: 2264, Thread: 2060, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH Wed Jan 17 09:53:58 2007, PID: 2264, Thread: 2060, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch Wed Jan 17 09:54:15 2007, PID: 656, Thread: 3368, Image taskmgr.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH Wed Jan 17 09:54:41 2007, PID: 656, Thread: 3368, Image taskmgr.exe,ALOCKOUT.DLL - dll_process_detatch. Looking on my dc's I hae the following entries Service Ticket Request Failed: User Name: shallensleben User Domain: ASPECTCAPITAL.COM Service Name: exchangeMDB/VEGA2 Ticket Options: 0x40800000 Failure Code: 0x12 Client Address: 172.16.x.x Authentication Ticket Request Failed: User Name: shallensleben Supplied Realm Name: ASPECTCAPITAL.COM Service Name: krbtgt/ASPECTCAPITAL.COM Ticket Options: 0x40810010 Failure Code: 0x12 Client Address: 172.16.x.x I have also checked for the obvious mapped netowrk drives, runas, saving credentials etc. all of which are absent. This is the only user in the domain that gets locked out. He does switch between out wireless and network environment, which I believe should not contribute to the problem? Does anyone have any ideas? Thanks in advance, ___________________________________________________________________________ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com
Current thread:
- Re : Account lockout - analysis help abdelhakim aliane (Jan 18)