1
1
I know WHICH users are constantly getting locked out because of bad password attempts, and they're only coming from their machine (using the old out of date ms account lockout tool and others to find this out) I don't know what the source of these on the computers in question are. It happens even when their computer is just sitting there doing nothing. (they may have programs open, but there's no remote desktop to them or live person sitting at the workstation)
It seems to send one to the DC about every 15 to 30 minutes, but varies by user. I reset the lockout number to 20 so that they wouldn't be locked out all the time, but I'd like to find a solution for real.
No scheduled tasks are running at all, they unmapped all drives and remapped them. Even when those were in place, it seems odd that it would cause that many attempts in one hour anyway.
All machines are Windows 7 with latest updates and ran virus, malware, spyware scanners with nothing found.
We have a hosted exchange account with Rackspace, so not connected to the DC. (unless I'm missing something here)
Definitely not an office prankster either? – Mokubai – 2012-10-11T18:38:37.423
I would wipe each machine one by one. This is the ONLY way to make sure every machine on the network is clean. An event better solution would be to wipe every machine at once. If it happens again after a wipe then the server is compromised. – Ramhound – 2012-10-11T18:42:41.850
ockquote>
it seems odd that it would cause that many attempts in one hour. Could be a mobile phone with an old password checking email every 15 minutes. Do the bad password attempts happen when the user's computer is switched off?
– sgmoore – 2012-10-11T19:12:24.173