Sunday, July 22, 2012

All Accounts Locked Due to Accessing User Account Manager from Control Panel in Server 2008

Just faced with interesting problem few days back. All user accounts on our Windows Server 2008 Standard Edition suddenly locked. After browsing through the Event Viewer Security logs, we noticed multiple Audit Failure entry for all user accounts with the following details:
- Event ID : 4625
- Caller Process Name : dllhost.exe
- Happened within the same seconds for all users

It is quite impossible for all users to coincidentally failed to log on at the same time. At first we thought of the possibility of denial of service attack on the servers. After some browsing on the Internet and thinking through what we have done before this incident happened, we suspect that this is due to Account Management feature accessible from Control Panel.

We did some simple test to confirm the root cause of this issue:

1. Add audit success and audit failure on the Audit Policy under Local Security Policy setting

2. Open Event Viewer, go to Windows Log, Security
Filter Event ID : 4625

3. Open User Accounts under Control Panel

4. Click Manage Another Accounts link
This action will trigger Audit Failure on the Event Viewer Log for all user accounts

5. Go back to Event Viewer and press Refresh
You will notice a lot of Audit Failure Entry which occurred at the same time.
This will trigger account lock out if Account Lockout Policy is configured