BadPwdCount reset without logon
hi,
we have little case badpwdcount attribute. simulating attack on administrator account on multi dc.
as attack specific dc, badpwdcount increase to high value, such 2880 on 1 dc (dc 3 on following data). after tests completed came fee days later , surprised see same dc have badpwdcount of 1... made request on dc verify if logon appear, none confirm it. dc show lastlogon of real last time loged account on first of january.
as saw strange behavior, made same check on our production environment , saw same pattern appeared on administrative account. badpwdcount seem increase , return 1 sometime without logon. have consult security audit log on every dc confirm no logon appear , have rsa envision , scom alerting logon account, none showed logon may had reset badpwdcount, microsoft theory said?
any of guys have explanation this?
here info on our 4 dc :
dc : 1
lastlogon : 2005/11/27 08:00:36
lockouttime : 2010/03/06 12:44:01
badpasswordtime : 2010/03/08 16:16:45
lastlogontimestamp : 2010/01/01 12:52:03
useraccountcontrol : 66048
badpwdcount : 5
whenchanged : 2010/03/06 17:44:01
pwdlastset : 2006/11/27 00:31:18
dc : 2
lastlogon : 2010/01/01 12:52:03
lockouttime : 2010/03/06 12:44:01
badpasswordtime : 2010/03/08 09:00:47
lastlogontimestamp : 2010/01/01 12:52:03
useraccountcontrol : 66048
badpwdcount : 8
whenchanged : 2010/03/06 17:44:04
pwdlastset : 2006/11/27 00:31:18
dc : 3
lastlogon : 2005/11/27 00:00:24
lockouttime : 2010/03/06 12:44:01
badpasswordtime : 2010/03/08 16:16:45
lastlogontimestamp : 2010/01/01 12:52:03
useraccountcontrol : 66048
badpwdcount : 1
whenchanged : 2010/03/06 17:48:59
pwdlastset : 2006/11/27 00:31:18
dc : 4
badpasswordtime : 2010/02/22 15:33:10
lockouttime : 2010/03/06 12:44:01
pwdlastset : 2006/11/27 00:31:18
accountexpires : 1600/12/31 19:00:00
lastlogontimestamp : 2010/01/01 12:52:03
whenchanged : 2010/03/06 17:48:46
badpwdcount : 1260
useraccountcontrol : 66048
this value reset because must have set in default domain policy via reset account lockout counter after xx minutes.
check that.
--
paul bergson
mvp - directory services
mcitp: enterprise administrator
mcts, mct, mcse, mcsa, security+, bs csci
2008, vista, 2003, 2000 (early achiever), nt4
microsoft's thrive pro of month - june 2009
http://www.pbbergs.com
please no e-mails, questions should posted in newsgroup this
posting provided "as is" no warranties, , confers no rights.
Windows Server > Directory Services
Comments
Post a Comment