I have received an alert notification that a user account is under attack.

  • Article

Cause:  A user has repeatedly tried to log on due to losing or forgetting the user account password. This alert occurs when the number of failed logons for a specific user exceeds the Account Lockout Threshold.

Solution:  Reset the user account password.

Note

To complete the following procedure, you must be logged on as a member of the Domain Admins security group.

To reset a user's password

  1. Click Start, and then click Server Management.

  2. In the console tree, click Users.

  3. In the details pane, select a user account, and then click Change Password.

  4. Type and confirm the new password.

  5. Select or clear the User must change password at next logon check box, and then click OK.

Cause:  An actual attack has occurred. This alert occurs when the number of failed logons for a specific user exceeds the Account Lockout Threshold.

Solution:  You need to do the following if you suspect the account is under attack:

  • Unplug the Internet cable from your server or router if you are certain that your network has been attacked. Open Event Viewer and view the audit logon events in the Security Events log to determine if an attack has occurred.

To open Event Viewer

  1. Click Start, and then click Server Management.

  2. In the console tree, click Monitoring.

  3. In the details pane, click View Event Logs.

  • View the event log to try and determine the IP address from which the attack is originating. Contact your Internet service provider (ISP) to report or block it.
  • Check for any unknown user accounts by using the Manage Users snap-in in Server Management.
  • Reset the user's password.
  • Reset the administrator password.
  • Disable the user account until the threat of the network attack passes.

Note

To complete the following procedure, you must be logged on as a member of the Domain Admins security group.

To disable a user account

  1. Click Start, and then click Server Management.

  2. In the console tree, click Users.

  3. In the details pane, select a user account, and then click Disable Account.

Note

Disable accounts are not removed, but you cannot use them to log on or to access network resources.

  • Consider setting strong password policies.

Note

To complete the following procedure, you must be logged on as a member of the Domain Admins security group.

To configure password policies

  1. Click Start, and then click Server Management.

  2. In the console tree, click Users.

  3. In the details pane, click Configure Password Policies.

  4. Select the check boxes to configure the policies you want, select when you want the policies to become effective, and then click OK.

    If you are still setting up the network and thus do not want the policies to be effective yet, you can choose to make them effective in a few days.

Note

This action changes the password policies used in your entire network. Enabling or changing password policies requires all users to change their passwords the next time they log on to the network.

For more information about keeping your network secure, visit the Microsoft Security and Privacy Web site (https://go.microsoft.com/fwlink/?LinkId=102).