A user on our network noticed one day that his account was getting locked out randomly and not by means of his own activity [he has administrative privileges, so this issue is a big concern]. He would already be logged on to his PC doing normal activities, and suddenly his phone would alert him that emails could not sync. The reason why, he found out, was because his user account was locked (Active Directory network locks users account after 3 bad attempts), even while logged in at his workstation (if he logged out or the screensaver kicks in, he would not be able to log back in since it would be locked). Logs and timing have shown that when the Network Admin account logs into a different PC - on one specific
PC (not any other so far from what we can tell) - his account gets locked out. We've removed any account profiles of his that were once on there, he rarely uses that PC if at all anyway, we have Symantec Endpoint Protection running in realtime on it, we've run MalwareBytes (full scan), TDSSKiller, the system is fully patched and up to date security wise, and there are no viruses or alerts found from any of them or anything else out of the ordinary. Here's the kicker... when this first started happening, the other PC (where the net admin would log on) did not even have SP1 on it since it hadn't been patched/updated in some time (Win 7 32bit)(it did have an up-to-date antivirus program running at all times, however), so when I finally patched/updated it (this is after scanning and not finding anything), it suddenly stopped. Then, today, it suddenly started happening AGAIN, the same exact time the net admin logged in (and there were no issues when logging in as net admin on that PC). Nothing out of the ordinary had been done with or to the other PC since that update, no alerts were raised and it's been used several times (under the net admin account) without issue.
Has anyone ever seen anything like this? Is there some efficient simple tool/utility that can monitor or detect failed (or successful for that matter) login attempts (in plain clear English) from computers on the network? Something that gives details as to why this is happening, where it's coming from and some idea of how to stop and prevent it? Any help would be appreciated. Thanks.
Edited by hamluis, 24 July 2012 - 09:56 AM.
Moved from Win 7 to Windows NT - Hamluis.