Endpoint Protection

 View Only

  • 1.  The user account has been automatically locked

    Posted Mar 08, 2014 12:10 AM

    I am having  problems with user accounts locking and un lock  automatically

    I had a look in the event viewer and it comes up with this error :


    Event ID: 40690
    >>> Type: Warning
    >>> Usre: N/A
    >>> Source: LSASRV
    >>> Category: SPNEGO (Negotiator)
    >>>
    >>> Description:
    >>> The Security System detected an attempted downgrade attack for
    >>> cifs/LHFILE2.xmcht.nhs.uk. The failure code from
    >>> authentication protocol Kerberos was "The user account has been
    >>> automatically locked because too many invalid logon attempts or
    >>> password change attempts have been requested.
    >>> (0xc0000234)".

     



  • 2.  RE: The user account has been automatically locked

    Posted Mar 10, 2014 01:05 PM

    Have you run a full scan with latest defs on the the affected users machine?

    Any malicious activity showing in the SEP logs?



  • 3.  RE: The user account has been automatically locked

    Posted Mar 11, 2014 02:45 AM

    Hi SKP,

    Some threats attempt to move throughout the enviornment by attempting to log into accounts with a dictionary of weak passwords.  W32.Downadup is one example.  These threats lead to those accounts being locked out (thought they are, of course, not the only reason!).

    Use auditing to determine who is trying to login to the accounts and from where.  See if those attempts are threat-related by examining that computer's records in the SEPM logs or by runnign SymHelp on it.

    More info on W32.Downadup:

    Killing Conficker: How to Eradicate W32.Downadup for Good
    https://www-secure.symantec.com/connect/articles/killing-conficker-how-eradicate-w32downadup-good



  • 4.  RE: The user account has been automatically locked

    Posted Mar 18, 2014 07:20 AM

    Hi

    Please apply all the necessary security patches and update

    Regards