Account lock-outs on AD.

[Felix]

Is there any services using their credentials with old passwords?

IE they have updated their password but not amended this on any service that run on PCs or servers.

 

[Bleek]

Is there any services using their credentials with old passwords?

IE they have updated their password but not amended this on any service that run on PCs or servers.

We think we may have found the culprit, all the machines in question have Acrobat updater running in the background so we've had service desk disable it as they find it. Fingers crossed it's that simple!

 

[s0ck]

Was there credentials stored in it? :s

 

[Bleek]

Was there credentials stored in it? :s

Don't know but one would assume so if it's causing account lock-outs!

 

[Lanz]

Conficker normally locks out random accounts.

If its the same 10 people all the time, chances are these people have their old password or something cached or saved somewhere that is automatically trying to login and then locking them out. Check their mail clients or mobiles/iphones etc.

 

[Terrier_Jimlad]

One of our developers found a vbs script that helped find hostnames of computers were account lockouts were occuring. It scanned all DC's for a certain string in the events and gave you the details ... only downside was, it has to be run at Enterprise Admin level

I'll have a look in the morning when I get in and try send it across

 

[Felix]

If you do find it I would appreciate a copy!

 

[Bleek]

Yeah a copy of that script would be very handy!

 

[ecksmen]

Guys, if you read the post the account lock out tools have already been linked.

EventcombeMT - use this, it'll take a while but it'll tell you where/what/who/when caused the locks....

 

[Bleek]

Doesn't work for me, it says there are 0 errors/account locks in the logs of all the DCs.