Home > The Main Room > Tech Talk > any Windows Server admins?

any Windows Server admins?

  1. Having a small problem here....

    Accounts are being locked out on a server due to too many invalid login attempts.

    The thing is - the users aren't really trying to log in. Something on our laptop is doing it automatically and we can't figure out how to stop it!

    From the security event log:

    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: bill.user (changed for Glocktalk)
    Domain:
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: BILLSLAPTOP

    Note: We do not use Active Directory nor a domain controller.

    It seems to only be happening on one machine, which happens to be our main web server.

    Virus scans aren't showing anything. One person's laptop is trying to login every 5 minutes on the dot. Others are more random.

    I have tried Googling the NtLmSsp and NTLM, but not having any luck resolving the issue. Anyone?
     
  2. Further explanation:

    The only way we log in to this server is through remote desktop (very limited # of users for this server). We are finding that when we try to log in, we are told our accounts are locked out. So we log in as Administrator, take a look at the logs... and that's what I posted above.
     
  3. Welp.. we're getting it narrowed down now.

    The invalid login occurs everytime we try to check our email. This server is also our mail server.

    It is happening to 3 of us here, and all 3 of us are running Outlook 2007. We all have different anti-virus software. We have disabled that and the problem still occurs.

    Outlook is the devil...

    Another employee is also running Outlook 2007 and NOT having this issue. What in the world.... ?
     
  4. There is a setting in Outlook (all versions) whereby you can specify how often to poll for new messages.

    That sounds like the culprit to me.
     
  5. That doesn't explain why my machine is trying to log on to the server itself. It should only be checking mail using the pop3 protocol. It shouldn't be an invalid login for remote desktop/terminal services/whatever.

    It doesn't make sense for someone to be locked out of remote desktop/terminal services just because they checked their email a few times.
     
  6. I'm not familiar with Remote Desktop, but to poll for Email doesn't it have to "login" to the server? I would think so.

    If it is set to poll for new Email every 3 or 5 minutes, AND it was set to logout after retrieving Email (also a standard setting), wouldn't that show as excessive logins?
     
  7. WAG, how many connections are allowed??

    John
     
  8. Delete the local profile for Bill on Billslaptop; it should recreate during the next log on, do it the right way, or at least delete c:\documents and settings\bill\ to kill the user registry. If they save a lot of files locally you might want to rename that directory first for recovery.

    It could be a persistant mapped drive connection, saved server credentials for a resource (like a proxy server/ java application), or something else like that.
     
  9. Woa,

    Please explain to me how you have your network setup please.

    From what you have explained it sounds like you are seriously playing with fire from a security standpoint.

    I sure hope you all love each other.
     
  10. dear god please tell me its not exchange... PLEASE
     
  11. I’d suggest you get the Event Comb tool (EventCombMT) from the Windblows resource kit. With it, you probably will be able to tell where the failed logon attempts are originating.


    http://support.microsoft.com/kb/824209