|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Win 2003 ADS users get locked outHi,
We have a Server 2003 network (2 Domain Controllers, 5 member servers, and about 100 Windows XP SP3 clients). Off late we have noticed that the random user would get into a lockout problem i.e all of a sudden their account gets locked out. However, they do not get notified for any password expiration or so. it happens again. It occurs while they are already logged ie: the Internet Explorer starts looking for authentication done anything to lock it out (ie: they haven't put in a bad password three times in succession). We unlock their account and it workd fine for sometime and again it might be locked out. Best Regards, DD. Howdie!
DD wrote: > Hi, You need to turn on directory services auditing to gather event logs > We have a Server 2003 network (2 Domain Controllers, 5 member servers, and > about 100 Windows XP SP3 clients). Off late we have noticed that the > random user would get into a lockout problem i.e all of a sudden their > account gets locked out. However, they do not get notified for any password > expiration or so. it happens again. It occurs while they are already logged > ie: the Internet Explorer starts looking for authentication done anything to > lock it out (ie: they haven't put in a bad password three times in > succession). We unlock their account and it workd fine for sometime and > again it might be locked out. which information when and where and with which type of logon the lock out occured. It's hard to tell why lock outs occur without that piece of information. Reasons could be: - a malicious user trying to get those passwords - a service/application that tries to authenticate with an old user password - the conficker worm on an infected machine/on multiple infected machines - a scheduled task with an old user password - .. Cheers, Florian Hello DD,
Check with lockout tools for starting: http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en Also check your systems for virus like conficker, which can also result in lockouts: http://support.microsoft.com/kb/962007 http://technet.microsoft.com/en-us/security/dd452420.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Hi, > We have a Server 2003 network (2 Domain Controllers, 5 member servers, > and > about 100 Windows XP SP3 clients). Off late we have noticed that the > random user would get into a lockout problem i.e all of a sudden > their > account gets locked out. However, they do not get notified for any > password > expiration or so. it happens again. It occurs while they are already > logged > ie: the Internet Explorer starts looking for authentication done > anything to > lock it out (ie: they haven't put in a bad password three times in > succession). We unlock their account and it workd fine for sometime > and > again it might be locked out. > Best Regards, > DD. Hi,
I have checked the event log, it shows as follows of the users whose account is locked out. Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: umesh.desai Source Workstation: ITL731 Error Code: 0xC0000234 Best Regards,> DD Show quoteHide quote > Check with lockout tools for starting: > http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx > > http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en > > Also check your systems for virus like conficker, which can also result in > lockouts: > http://support.microsoft.com/kb/962007 > > http://technet.microsoft.com/en-us/security/dd452420.aspx > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and > confers no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >> Hi, >> We have a Server 2003 network (2 Domain Controllers, 5 member servers, >> and >> about 100 Windows XP SP3 clients). Off late we have noticed that the >> random user would get into a lockout problem i.e all of a sudden >> their >> account gets locked out. However, they do not get notified for any >> password >> expiration or so. it happens again. It occurs while they are already >> logged >> ie: the Internet Explorer starts looking for authentication done >> anything to >> lock it out (ie: they haven't put in a bad password three times in >> succession). We unlock their account and it workd fine for sometime >> and >> again it might be locked out. >> Best Regards, >> DD. > >
Show quote
Hide quote
"DD" <darshan.di***@infrasofttech.com> wrote in message news:O1cBfws$JHA.4692@TK2MSFTNGP02.phx.gbl... Do you have account auditing enabled? If so, you can determine which machine, app/service or IP it is coming from.> Hi, > We have a Server 2003 network (2 Domain Controllers, 5 member servers, and > about 100 Windows XP SP3 clients). Off late we have noticed that the > random user would get into a lockout problem i.e all of a sudden their > account gets locked out. However, they do not get notified for any password > expiration or so. it happens again. It occurs while they are already logged > ie: the Internet Explorer starts looking for authentication done anything to > lock it out (ie: they haven't put in a bad password three times in > succession). We unlock their account and it workd fine for sometime and > again it might be locked out. > > > > Best Regards, > DD. > > Is there a scheduled task running using the account? How about a service that may be using the account? Dump your service account credentials with the following batch file on the DCs or any other machine that you suspect a service is using the account name in question. Save it as service.bat, or whatever you like to call it, and run it. --- @echo off reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s | find /i "objectname" >services.txt notepad services.txt exit --- You can also try the following tools (EventCombMT & LockOutStatus.exe) to help pinpoint it. There's a tool in there called LockoutStatus.exe Download details: Account Lockout and Management ToolsApr 22, 2003 ... EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location. LockoutStatus.exe. ... http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en How to use the EventCombMT utility to search event logs for ...This article describes how to use the EventCombMT utility (EventCombmt.exe) to search the event logs of multiple computers for account lockouts. http://support.microsoft.com/kb/824209 EventCombMT.exe - A Good Tool To Collect Event Logs http://msmvps.com/blogs/nuoyan/archive/2005/11/04/74367.aspx -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution. Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging Microsoft Certified Trainer ace***@mvps.RemoveThisPart.org http://twitter.com/acefekay For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. I've often seen this happen when a user is logged on to a computer or
terminal session somewhere and forget they are logged in. They later change their password and the old session occasionally tries to authenticate with the old credentials and it causes the lockout status. Hi,
I have enabled the directory service access but it do not show any logs. est Regards, DD " Show quoteHide quote news:eXdNfdt$JHA.4432@TK2MSFTNGP05.phx.gbl... > I've often seen this happen when a user is logged on to a computer or > terminal session somewhere and forget they are logged in. They later > change their password and the old session occasionally tries to > authenticate with the old credentials and it causes the lockout status. "DD" <darshan.di***@infrasofttech.com> wrote in message news:Ot1lG4t$JHA.4984@TK2MSFTNGP05.phx.gbl... Did you enable Account Logon attempts? They will show up in the security logs.> Hi, > I have enabled the directory service access but it do not show any logs. Ace I have a little tutorial on how to trouble shoot lock out problems at:
http://www.pbbergs.com/windows/articles.htm -- Show quoteHide quotePaul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "DD" <darshan.di***@infrasofttech.com> wrote in message news:O1cBfws$JHA.4692@TK2MSFTNGP02.phx.gbl... > Hi, > We have a Server 2003 network (2 Domain Controllers, 5 member servers, and > about 100 Windows XP SP3 clients). Off late we have noticed that the > random user would get into a lockout problem i.e all of a sudden their > account gets locked out. However, they do not get notified for any > password expiration or so. it happens again. It occurs while they are > already logged ie: the Internet Explorer starts looking for authentication > done anything to lock it out (ie: they haven't put in a bad password three > times in succession). We unlock their account and it workd fine for > sometime and again it might be locked out. > > > > Best Regards, > DD. > "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message news:%237%23RyHx$JHA.5092@TK2MSFTNGP03.phx.gbl... That's a good suggestion in your blog about using Netlogon debug flag!>I have a little tutorial on how to trouble shoot lock out problems at: > > http://www.pbbergs.com/windows/articles.htm > Ace |
|||||||||||||||||||||||
Other interesting topics