Security Basics mailing list archives
Account lockout - analysis help
From: gary () aspectcapital com
Date: 17 Jan 2007 11:37:21 -0000
Hi,
I Have a user who keeps getting his account locked out, but I cannot work out why. I use the alockout tools, to get me
the following
Wed Jan 17 08:40:00 2007, PID: 1872, Thread: 2284, Image xcopy,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jan 17 08:40:12 2007, PID: 1872, Thread: 2284, Image xcopy,ALOCKOUT.DLL - dll_process_detatch
Wed Jan 17 09:50:29 2007, PID: 3216, Thread: 2920, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL -
DLL_PROCESS_ATTACH
Wed Jan 17 09:50:29 2007, PID: 3216, Thread: 2920, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL -
dll_process_detatch
Wed Jan 17 09:52:19 2007, PID: 2648, Thread: 3160, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL -
DLL_PROCESS_ATTACH
Wed Jan 17 09:52:20 2007, PID: 2648, Thread: 3160, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL -
dll_process_detatch
Wed Jan 17 09:53:32 2007, PID: 2040, Thread: 1388, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL -
DLL_PROCESS_ATTACH
Wed Jan 17 09:53:33 2007, PID: 2040, Thread: 1388, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL -
dll_process_detatch
Wed Jan 17 09:53:57 2007, PID: 2264, Thread: 2060, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL -
DLL_PROCESS_ATTACH
Wed Jan 17 09:53:58 2007, PID: 2264, Thread: 2060, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL -
dll_process_detatch
Wed Jan 17 09:54:15 2007, PID: 656, Thread: 3368, Image taskmgr.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jan 17 09:54:41 2007, PID: 656, Thread: 3368, Image taskmgr.exe,ALOCKOUT.DLL - dll_process_detatch.
Looking on my dc's I hae the following entries
Service Ticket Request Failed:
User Name: shallensleben
User Domain: ASPECTCAPITAL.COM
Service Name: exchangeMDB/VEGA2
Ticket Options: 0x40800000
Failure Code: 0x12
Client Address: 172.16.x.x
Authentication Ticket Request Failed:
User Name: shallensleben
Supplied Realm Name: ASPECTCAPITAL.COM
Service Name: krbtgt/ASPECTCAPITAL.COM
Ticket Options: 0x40810010
Failure Code: 0x12
Client Address: 172.16.x.x
I have also checked for the obvious mapped netowrk drives, runas, saving credentials etc. all of which are absent.
This is the only user in the domain that gets locked out. He does switch between out wireless and network environment,
which I believe should not contribute to the problem?
Does anyone have any ideas?
Thanks in advance,
Current thread:
- Account lockout - analysis help gary (Jan 17)
- Re: Account lockout - analysis help Miguel Sarri (Jan 18)
- Re: Account lockout - analysis help Tima Soni (Jan 19)
- <Possible follow-ups>
- RE: Account lockout - analysis help Tyler, Grayling (Jan 19)
- Re: Account lockout - analysis help Miguel Sarri (Jan 18)