Re : Account lockout - analysis help

[abdelhakim aliane <hakim_al () yahoo fr>]

Hi,
Sorry there's too many details, I usually don't use the tools like this.
My approch : Tools : 1st) LockoutStatus.exe will search and indicate the guilty account and match to the domain 
controller responsible of locking the account.
2nd) With eventcombMT.exe (Menu>Searches>Built In Searches>Account Lockouts), select the indicated DC in 1st step and 
run the search, you will get a security log (DC-Name-Security_LOG.txt) discribing the real problem. You must analyse 
all the fileds (the raw of the locked account in the log) Example : Service Name, Pre-Auth, Failure Code, Client 
Address and Callers, etc.

Good Luck.
Aliane

----- Message d'origine ----
De : "gary () aspectcapital com" <gary () aspectcapital com>
À : security-basics () securityfocus com
Envoyé le : Mercredi, 17 Janvier 2007, 12h37mn 21s
Objet : Account lockout - analysis help


Hi,

I Have a user who keeps getting his account locked out, but I cannot work out why. I use the alockout tools, to get me 
the following 

Wed Jan 17 08:40:00 2007, PID:  1872, Thread:  2284, Image xcopy,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jan 17 08:40:12 2007, PID:  1872, Thread:  2284, Image xcopy,ALOCKOUT.DLL - dll_process_detatch
Wed Jan 17 09:50:29 2007, PID:  3216, Thread:  2920, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
DLL_PROCESS_ATTACH
Wed Jan 17 09:50:29 2007, PID:  3216, Thread:  2920, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
dll_process_detatch
Wed Jan 17 09:52:19 2007, PID:  2648, Thread:  3160, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
DLL_PROCESS_ATTACH
Wed Jan 17 09:52:20 2007, PID:  2648, Thread:  3160, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
dll_process_detatch
Wed Jan 17 09:53:32 2007, PID:  2040, Thread:  1388, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
DLL_PROCESS_ATTACH
Wed Jan 17 09:53:33 2007, PID:  2040, Thread:  1388, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
dll_process_detatch
Wed Jan 17 09:53:57 2007, PID:  2264, Thread:  2060, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
DLL_PROCESS_ATTACH
Wed Jan 17 09:53:58 2007, PID:  2264, Thread:  2060, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
dll_process_detatch
Wed Jan 17 09:54:15 2007, PID:   656, Thread:  3368, Image taskmgr.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jan 17 09:54:41 2007, PID:   656, Thread:  3368, Image taskmgr.exe,ALOCKOUT.DLL - dll_process_detatch.

Looking on my dc's I hae the following entries 

Service Ticket Request Failed:
    User Name:    shallensleben
    User Domain:    ASPECTCAPITAL.COM
    Service Name:    exchangeMDB/VEGA2
    Ticket Options:    0x40800000
    Failure Code:    0x12
    Client Address:    172.16.x.x

Authentication Ticket Request Failed:
    User Name:    shallensleben
    Supplied Realm Name:    ASPECTCAPITAL.COM
    Service Name:    krbtgt/ASPECTCAPITAL.COM
    Ticket Options:    0x40810010
    Failure Code:    0x12
    Client Address:    172.16.x.x

I have also checked for the obvious mapped netowrk drives, runas, saving credentials etc. all of which are absent.

This is the only user in the domain that gets locked out. He does switch between out wireless and network environment, 
which I believe should not contribute to the problem?

Does anyone have any ideas?

Thanks in advance,


        

        
                
___________________________________________________________________________ 
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses 
http://fr.answers.yahoo.com