Security Basics mailing list archives

Re: Account lockout - analysis help

From: Miguel Sarri <msarri () gmail com>
Date: Thu, 18 Jan 2007 12:55:31 -0300

Take a look at services, specifically you could search for servicesrunning as an user account (with expired password?).

I had the same problem and it was a service that was running with an oldpassword.

Also you could take a look at the computer account in your DC, and lookthe logs of logon.


Did you check it with another user in that box?
Did you check that user in another box?

Regards.


gary () aspectcapital com escribió:

Hi,
I Have a user who keeps getting his account locked out, but I cannot work out why. I use the alockout tools, to get me


the following


Wed Jan 17 08:40:00 2007, PID:  1872, Thread:  2284, Image xcopy,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jan 17 08:40:12 2007, PID:  1872, Thread:  2284, Image xcopy,ALOCKOUT.DLL - dll_process_detatch
Wed Jan 17 09:50:29 2007, PID:  3216, Thread:  2920, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
DLL_PROCESS_ATTACH
Wed Jan 17 09:50:29 2007, PID:  3216, Thread:  2920, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
dll_process_detatch
Wed Jan 17 09:52:19 2007, PID:  2648, Thread:  3160, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
DLL_PROCESS_ATTACH
Wed Jan 17 09:52:20 2007, PID:  2648, Thread:  3160, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
dll_process_detatch
Wed Jan 17 09:53:32 2007, PID:  2040, Thread:  1388, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
DLL_PROCESS_ATTACH
Wed Jan 17 09:53:33 2007, PID:  2040, Thread:  1388, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
dll_process_detatch
Wed Jan 17 09:53:57 2007, PID:  2264, Thread:  2060, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
DLL_PROCESS_ATTACH
Wed Jan 17 09:53:58 2007, PID:  2264, Thread:  2060, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
dll_process_detatch
Wed Jan 17 09:54:15 2007, PID:   656, Thread:  3368, Image taskmgr.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jan 17 09:54:41 2007, PID:   656, Thread:  3368, Image taskmgr.exe,ALOCKOUT.DLL - dll_process_detatch.

Looking on my dc's I hae the following entries

Service Ticket Request Failed:
        User Name:      shallensleben
        User Domain:    ASPECTCAPITAL.COM
        Service Name:   exchangeMDB/VEGA2
        Ticket Options: 0x40800000
        Failure Code:   0x12
        Client Address: 172.16.x.x

Authentication Ticket Request Failed:
        User Name:      shallensleben
        Supplied Realm Name:    ASPECTCAPITAL.COM
        Service Name:   krbtgt/ASPECTCAPITAL.COM
        Ticket Options: 0x40810010
        Failure Code:   0x12
        Client Address: 172.16.x.x

I have also checked for the obvious mapped netowrk drives, runas, saving credentials etc. all of which are absent.

This is the only user in the domain that gets locked out. He does switch between out wireless and network environment, 
which I believe should not contribute to the problem?

Does anyone have any ideas?

Thanks in advance,

Current thread:

Account lockout - analysis help gary (Jan 17)
- Re: Account lockout - analysis help Miguel Sarri (Jan 18)
  - Re: Account lockout - analysis help Tima Soni (Jan 19)
- <Possible follow-ups>
- RE: Account lockout - analysis help Tyler, Grayling (Jan 19)