any Windows Server admins?

Discussion in 'Tech Talk' started by Nyper, Apr 24, 2007.

  1. Nyper

    Nyper

    Messages:
    354
    Likes Received:
    0
    Joined:
    Jan 2, 2004
    Location:
    Lebanon TN
    Having a small problem here....

    Accounts are being locked out on a server due to too many invalid login attempts.

    The thing is - the users aren't really trying to log in. Something on our laptop is doing it automatically and we can't figure out how to stop it!

    From the security event log:

    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: bill.user (changed for Glocktalk)
    Domain:
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: BILLSLAPTOP

    Note: We do not use Active Directory nor a domain controller.

    It seems to only be happening on one machine, which happens to be our main web server.

    Virus scans aren't showing anything. One person's laptop is trying to login every 5 minutes on the dot. Others are more random.

    I have tried Googling the NtLmSsp and NTLM, but not having any luck resolving the issue. Anyone?
     
  2. Nyper

    Nyper

    Messages:
    354
    Likes Received:
    0
    Joined:
    Jan 2, 2004
    Location:
    Lebanon TN
    Further explanation:

    The only way we log in to this server is through remote desktop (very limited # of users for this server). We are finding that when we try to log in, we are told our accounts are locked out. So we log in as Administrator, take a look at the logs... and that's what I posted above.
     

  3. Blitzer

    Blitzer Cool Cat

    Messages:
    12,111
    Likes Received:
    3
    Joined:
    Jan 15, 2004
    Location:
    The communist's play ground of OHIO
  4. Nyper

    Nyper

    Messages:
    354
    Likes Received:
    0
    Joined:
    Jan 2, 2004
    Location:
    Lebanon TN
    Welp.. we're getting it narrowed down now.

    The invalid login occurs everytime we try to check our email. This server is also our mail server.

    It is happening to 3 of us here, and all 3 of us are running Outlook 2007. We all have different anti-virus software. We have disabled that and the problem still occurs.

    Outlook is the devil...

    Another employee is also running Outlook 2007 and NOT having this issue. What in the world.... ?
     
  5. lens

    lens

    Messages:
    548
    Likes Received:
    16
    Joined:
    Nov 24, 2005
    Location:
    Northeast
    There is a setting in Outlook (all versions) whereby you can specify how often to poll for new messages.

    That sounds like the culprit to me.
     
  6. Nyper

    Nyper

    Messages:
    354
    Likes Received:
    0
    Joined:
    Jan 2, 2004
    Location:
    Lebanon TN
    That doesn't explain why my machine is trying to log on to the server itself. It should only be checking mail using the pop3 protocol. It shouldn't be an invalid login for remote desktop/terminal services/whatever.

    It doesn't make sense for someone to be locked out of remote desktop/terminal services just because they checked their email a few times.
     
  7. lens

    lens

    Messages:
    548
    Likes Received:
    16
    Joined:
    Nov 24, 2005
    Location:
    Northeast
    I'm not familiar with Remote Desktop, but to poll for Email doesn't it have to "login" to the server? I would think so.

    If it is set to poll for new Email every 3 or 5 minutes, AND it was set to logout after retrieving Email (also a standard setting), wouldn't that show as excessive logins?
     
  8. DragonRider

    DragonRider

    Messages:
    198
    Likes Received:
    0
    Joined:
    Jun 6, 2002
    Location:
    NoVA
    WAG, how many connections are allowed??

    John
     
  9. xaosflux

    xaosflux

    Messages:
    52
    Likes Received:
    0
    Joined:
    Nov 14, 2006
    Location:
    FL
    Delete the local profile for Bill on Billslaptop; it should recreate during the next log on, do it the right way, or at least delete c:\documents and settings\bill\ to kill the user registry. If they save a lot of files locally you might want to rename that directory first for recovery.

    It could be a persistant mapped drive connection, saved server credentials for a resource (like a proxy server/ java application), or something else like that.
     
  10. NetNinja

    NetNinja Always Faithful

    Messages:
    968
    Likes Received:
    3
    Joined:
    Oct 23, 2001
    Location:
    HotLanta, GA
    Woa,

    Please explain to me how you have your network setup please.

    From what you have explained it sounds like you are seriously playing with fire from a security standpoint.

    I sure hope you all love each other.
     
  11. stratocastor80

    stratocastor80 NM FTW

    Messages:
    20
    Likes Received:
    0
    Joined:
    Apr 25, 2007
    Location:
    New Mexico
    dear god please tell me its not exchange... PLEASE
     
  12. Tennessee Slim

    Tennessee Slim Señor Member CLM

    Messages:
    4,413
    Likes Received:
    0
    Joined:
    Apr 14, 2004
    Location:
    Mucus City, USA
    I’d suggest you get the Event Comb tool (EventCombMT) from the Windblows resource kit. With it, you probably will be able to tell where the failed logon attempts are originating.


    http://support.microsoft.com/kb/824209