Question : Locked out accounts

Greetings Experts,

I am an Active Directory administrator and have recently seen a number (15-20) of accounts locked out daily. There is no rhyme or reason to the order in which this is occurring. We suspect someone may be trying to brute-force OWA and/or Exchange ActiveSync in order to be able to send spam through our domain. I am interested in knowing your opinions on what 'best practices' are in this situation. We do not have evidence that anyone has actually made it through, however our helpdesk is fielding calls nearly every morning to unlock these accounts. Is there any sort of AD program or methodology to find out which area of AD  the bad password attempts are coming from (OWA, folder mapping etc.) and who is sending them (IP Address)? We would very much like the capability to block the address, or range of addresses..

Some sort of automated AD security program would of course, be preferred..

Thanks!

-Gene

Answer : Locked out accounts

Download the account lcokout tools from Microsoft;
 http://www.microsoft.com/downloads/details.aspx?familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en

There's a tool called eventcombMT.exe this comes with a built-in search for account lockouts that will tell you where the bad attempts are coming from. This should be a good starting point...
Random Solutions  
 
programming4us programming4us