Video Screencast Help

domain user account get locked after every few minutes

Created: 31 Mar 2009 • Updated: 24 May 2010 | 7 comments

Hello everyone
I am administering a windows domain having windows Server 2003R2.

i make a group policy that after three wrong attempts of password.user account will get locked for 15 minutes.

now i am facing a problem that when i logon to any User's PC with adminstrator credential and then log off.then i trying to login with user's showing me that user account is locked out.

it is not neccessary that after logging off by administrator's credential on user PC.User account get also get locked every after 5,6 minutes.

sometime when user is already logged in.he is facing a problem that he cannot use print services.
when i checked out his account in Active showing me locked.

is this any kind of virus/malware.or some configuration error.kindly advice me what i do to resolve that matter

i also tried fixdownadup.exe on all PC but still accounts get locked rapidly.Plzzzzzzz advise me

Comments 7 CommentsJump to latest comment

Beppe's picture

Hi Hussi,

you have the most common sympthoms of the Downadup.B worm.
Please, read the documentation available in the Symantec Website regarding the Downadup.B to double-check other possible sympthoms and for more details.

Here's some basic advices:
1) be sure your AntiVirus is updated;
2) be sure ALL your machines have the patch described in this article:
3) disable the autoplay in ALL machines;
4) enforce your passwords policies;
5) if it is possible disable the filesharing during the disinfection or set it in read-only;
6) Isolate the infected machines (in the server you can see where the log on attempts are coming from).

Eventually you have to send a sample of the malware to Symantec so they can update their definitions to detect your specific sub-variant.

Be aware that for tomorrow is expected a new big version of Downadup (I don't know if it is a hoax, it seems true) so, anyway, it is better if you are sure that ALL your machines are patched as per point 2.




SameerU's picture


Please check that it is affected by the virus and do the following steps

I think it Downdup virus

Run a good security suite (we are partial to Norton Internet Security 2009 and Norton 360 Version 3.0).
Keep your computer updated with the latest patches. If you don’t know how to do this, have someone help you set your system to update itself.
Don’t use “free” security scans that pop up on many web sites. All too often these are fake, using scare tactics to try to get you to purchase their “full” service. In many cases these are actually infecting you while they run. There is reason to believe that the creators of the Conficker worm are associated with some of these fake security products.
Turn off the “autorun” feature that will automatically run programs found on memory sticks and other USB devices.
Be smart with your passwords. This includes
Change your passwords periodically
Use complex passwords – no simple names or words, use special characters and numbers
Using a separate, longer password for each site that has sensitive personal information or access to your ban


Symantec World's picture

Please apply the below patch to all systems to resolve this issue

MS08-067: Vulnerability in Server service could allow remote code execution

Regards, M.R

SAM_SHAIKH's picture


Disable ADMIN$ shares on machines and apply patch ms08-067, restart the machines , update definitionand scan all the suspected machines in safemode with system restore OFF.

Your network has got infected with W32.Downadup family.


vikram3500's picture

 Yup, clear case of Conficker....

Alex Casartelli's picture

Hi to all,

I followed the basics instruction of Giuseppe, but i didn't solve this problem.

How can i do to solve this issue?

Is there a new patch? or a new version about this virus?

Many thanks to all,



Vikram Kumar-SAV to SEP's picture

Please open a new Discussion thread for your issue also follow this article 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.