Hosting Provided By

RE: Windows 2000 user login

From: Robinson, Sonja <SRobinson(at)HIPUSA.com>
Date: Thu Mar 27 2003 - 15:07:49 EST

Dump your PDC logs using DumpEVT or similar. Search the log files for the users user name or by the MS Security Event Code. This will give you all of the computer names that his account is trying to be accessed from. So in other words you will locate HIS true machine, plus any machine that may have a script under his account or if someone is trying to brute force his account, etc. Your password policy of 30 days is fine and is not the cause. Most likely it is user disfunction or their is a script/batch file/process trying to use the account and he forgot about it- which still applies to user disfunction.

-----Original Message-----
From: Wright, Bill
To: security-basics@securityfocus.com
Sent: 3/26/2003 1:16 PM
Subject: Windows 2000 user login

I have never posted to this board, so hopefully I'm following the right procedures. My issue is that a user's account keeps getting locked out due to an aggressive password policy (30 days) and he claims that he isn't logged into multiple machines nor is he fat fingering his password. Is anybody aware of a product to find out where or how many Windows 2000 servers or workstations a user is logged into? My thinking is that he's logged into multiple machines under an old password that keeps locking him out.

Thanks,
Bill

SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfsbl1

This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email.

SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfsbl1 Received on Fri Mar 28 10:00:35 2003

This message: [ Message body ]
Next message: securityfocus(at)not4not.mailshell.com: "Re: Security Approval Process"
Previous message: Bruyere, Michel: "bandwidth monitoring for baystacks"
Maybe in reply to: Wright, Bill: "Windows 2000 user login"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:03:59 EDT