Bad Password Attempts - Account Not Locking... Expand / Collapse
Author
Message
Posted 8/18/2014 10:40:09 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/18/2014 10:23:52 AM
Posts: 1, Visits: 0
We have the default domain policy set to 10 invalid logon attempts for account lockout threshold, I've tested this works but noticed last week an ActiveSync user had generated 2000+ bad password events without locking out her account (after changing her account password and not updating her ActiveSync devices).  I've search and cannot find a reference explaining how this can happen, I've tested the account lockout policy is working and the 2000+ bad password events all show in the DC security log but her account was not locked out. 

The bad password attempts all came into the network via MS Forefront TMG server which we use as a front end for both Outlook Web Access and ActiveSync, all the bad password attempts registered internally on the Domain controller but the account failed to lockout.

Why didn't the user account lockout?

Here's an example of one of the 2000+ bad password events from the DC security log:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/08/2014 20:19:32
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      xxxxx.xx.xxx.local
Description:
An account failed to log on.

Subject:
 Security ID:  NULL SID
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Logon Type:   3

Account For Which Logon Failed:
 Security ID:  NULL SID
 Account Name:  user.account
 Account Domain:  ourdomain

Failure Information:
 Failure Reason:  Unknown user name or bad password.
 Status:   0xc000006d
 Sub Status:  0xc000006a

Process Information:
 Caller Process ID: 0x0
 Caller Process Name: -

Network Information:
 Workstation Name: MSFOREFRONTTMG01
 Source Network Address: 10.96.160.8
 Source Port:  11100

Detailed Authentication Information:
 Logon Process:  NtLmSsp
 Authentication Package: NTLM
 Transited Services: -
 Package Name (NTLM only): -
 Key Length:  0

Thanks!

Mark

Post #1388
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 8:11am