Jump to content


Photo

ALE does not show source address of locked account


  • Please log in to reply
5 replies to this topic

#1 sborise

sborise

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 07 October 2013 - 04:21 PM

One of my service accounts (domain admin account) gets locked/unlocked once every hour after so many attempts to authenticate with incorrect password. I believe that all logging policies are enabled correctly, but for some reason I cannot find the source address from where the authentication attempts arrive. ALE shows the source as this:
from ::1
Reason: Account Locked out
Logon Type: Network
Process name: -

Any suggestions are appreciated.
Thanks.
sb

#2 Seth Bartlett

Seth Bartlett

    Member

  • Administrators
  • PipPip
  • 15 posts
  • Gender:Male

Posted 07 October 2013 - 04:39 PM

One of my service accounts (domain admin account) gets locked/unlocked once every hour after so many attempts to authenticate with incorrect password. I believe that all logging policies are enabled correctly, but for some reason I cannot find the source address from where the authentication attempts arrive. ALE shows the source as this:
from ::1
Reason: Account Locked out
Logon Type: Network
Process name: -

Any suggestions are appreciated.
Thanks.
sb


Could you check if Account Logon Auditing is on, also could you check all the services on the Netwrix server and see if this account is on one of the services or even Task Scheduler. The From is ::1, meaning localhost for IPv6

#3 sborise

sborise

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 07 October 2013 - 04:55 PM

Account Logon Auditing is on (on the front page of ALE is shows the Audit Status as Enabled.)
The Netwrix server does not have IPv6 (it is a W2003 box), there are no services and scheduled tasks running under this account on the Netwrix server.
Basically, we have changed the group policy to required a password to be 8 characters long. The old password for this account was 7 characters. After the GP was changed this account was accidentally deleted. Instead of restoring the account we have manually recreated it and visited each server where this account runs services and entered the new password and restarted services. Evidently there is one more place where something is running under this account with the old password. I used a utility from PDQ Inventory that can find all services on a network running under this account, so I know the problem is not with a service. Most likely it is a scheduled task or a mapped drive, but it is driving me nuts not being able to find it.
Thanks.
sb

#4 sborise

sborise

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 07 October 2013 - 04:57 PM

Could you check if Account Logon Auditing is on, also could you check all the services on the Netwrix server and see if this account is on one of the services or even Task Scheduler. The From is ::1, meaning localhost for IPv6

Seth,
Account Logon Auditing is on (on the front page of ALE is shows the Audit Status as Enabled.)
The Netwrix server does not have IPv6 (it is a W2003 box), there are no services and scheduled tasks running under this account on the Netwrix server.
Basically, we have changed the group policy to required a password to be 8 characters long. The old password for this account was 7 characters. After the GP was changed this account was accidentally deleted. Instead of restoring the account we have manually recreated it and visited each server where this account runs services and entered the new password and restarted services. Evidently there is one more place where something is running under this account with the old password. I used a utility from PDQ Inventory that can find all services on a network running under this account, so I know the problem is not with a service. Most likely it is a scheduled task or a mapped drive, but it is driving me nuts not being able to find it.
Thanks.
sb

#5 Seth Bartlett

Seth Bartlett

    Member

  • Administrators
  • PipPip
  • 15 posts
  • Gender:Male

Posted 07 October 2013 - 05:07 PM

Seth,
Account Logon Auditing is on (on the front page of ALE is shows the Audit Status as Enabled.)
The Netwrix server does not have IPv6 (it is a W2003 box), there are no services and scheduled tasks running under this account on the Netwrix server.
Basically, we have changed the group policy to required a password to be 8 characters long. The old password for this account was 7 characters. After the GP was changed this account was accidentally deleted. Instead of restoring the account we have manually recreated it and visited each server where this account runs services and entered the new password and restarted services. Evidently there is one more place where something is running under this account with the old password. I used a utility from PDQ Inventory that can find all services on a network running under this account, so I know the problem is not with a service. Most likely it is a scheduled task or a mapped drive, but it is driving me nuts not being able to find it.
Thanks.
sb


The Account logon auditing would need to be on for your servers also. You would most likely want to setup a group policy for this temporarily. This is most likely the reason you are just getting ::1 instead of a server name.

#6 sborise

sborise

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 07 October 2013 - 06:18 PM

The Account logon auditing would need to be on for your servers also. You would most likely want to setup a group policy for this temporarily. This is most likely the reason you are just getting ::1 instead of a server name.

Added auditing to the Servers OU GP and Default Domain Policy per http://www.netwrix.com/kb/1571.
Waited for 30 minutes for GP to reach servers, but I still get no machine address from where the incorrect credentials are being sent.
When I re-ran the Examination everything shows green except for the drive mappings. There is shows:
Cannot obtain credentials information for drive N mapped under S-1-5-21-xxxxxxxx
Cannot obtain credentials information for drive S mapped under S-1-5-21-xxxxxxxx

The netwrix server does not have network drives mapped.




0 user(s) are reading this topic

0 members, guests, anonymous users