Re: What Happened? Passwords all expired...

From: Tim Springston [MSFT] (tspring_at_online.microsoft.com)
Date: 07/14/04

• Next message: Cary Shultz [A.D. MVP]: "Re: Updates done without SUS Server"
• Previous message: CP: "Advise Needed on AD Backup"
• In reply to: Todd S: "Re: What Happened? Passwords all expired..."
• Messages sorted by: [ date ] [ thread ]

Date: Wed, 14 Jul 2004 09:35:59 -0500

Hi Todd-

I would be concerned about the scenario you outlined below since it doesn't
really explain how the new account policy setting(s) made it to the DCs.

I would strongly suggest enabling Success/Failure for Account Management
auditing at the domain controller level so that if this recurs you can
quickly ascertain how, why and from where this happened.

A tool which can help in this regard (parsing through the event logs for
specific events) is EVENTCOMBMT.EXE.

How to Use the EventcombMT Utility to Search Event Logs for Account Lockouts
http://support.microsoft.com/default.aspx?scid=kb;en-us;824209&Product=winsvr2003

-- 
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"Todd S" <toddflbass@{ihatespam}yahoo.com> wrote in message
news:2bf9601c4699e$d2ba23e0$a601280a@phx.gbl...
> For what its worth, this was a DNS issue.  Basically what
> was happening was that since I have some clusters where
> the nodes are domain controllers, the Heartbeat addresses
> were getting registered into DNS.  These heartbeat NIC
> aren't on the network so when workstations were
> authenticating they couldn't locate the domain and were
> going with what would normally be default domain security,
> ie. password complexity.  That is the theory of what
> happened.
>
> >-----Original Message-----
> >It is disabled and no other policies have been created
> >that would over write this.
> >
> >I am concerned that this might be a DNS issue.  We use
> QIP
> >and we don't control that.  It appears that when pinging
> >the domain name it isn't resolving to the DC's as it
> >should.  So I think that may be why we are seeing these
> >issues.  I'll post a result if that is what it is.
> Thanks.
> >
> >T
> >
> >>-----Original Message-----
> >>Ah, my apologies for not reading the whole thread.
> >>
> >>However, have you specifically disabled it?  If not,
> then
> >it's still on.  If
> >>so, then has a domain policy been created or moved above
> >this one in the
> >>pecking order to override this?  Password policy can
> only
> >be defined at
> >>domain level, but doesn't necessarily need to be defined
> >by the DDP or DDCP.
> >>
> >>-- 
> >>
> >>Paul Williams
> >>_________________________________________
> >> http://www.msresource.net
> >>
> >>
> >>Join us in our new forums!
> >>  http://forums.msresource.net
> >>_________________________________________
> >>
> >>
> >><anonymous@discussions.microsoft.com> wrote in message
> >>news:2bfbc01c46910$d4672820$a501280a@phx.gbl...
> >>Paul,  Thanks for the attempt but please see the first
> >>post that says "I check my GPO's and password complexity
> >>is not enabled."  This is a network that has been running
> >>for over a year and all the sudden all users have to
> reset
> >>their password and make them complex although, the
> >>password complexity settings in GPO are disabled.
> >>
> >>>-----Original Message-----
> >>>> I just don't understand how password complexity is
> >>enabled when its not
> >>>turned on in Group Policy.
> >>>
> >>>Password complexity is on by default...
> >>>
> >>>-- 
> >>>
> >>>Paul Williams
> >>>_________________________________________
> >>> http://www.msresource.net
> >>>
> >>>
> >>>Join us in our new forums!
> >>>  http://forums.msresource.net
> >>>_________________________________________
> >>>
> >>>
> >>>"Todd S" <toddflbass@{ihatespam}yahoo.com> wrote in
> >>message
> >>>news:2c30801c4690e$19581c80$a401280a@phx.gbl...
> >>>We audit:
> >>>account logon events    success and fail
> >>>account management    success and fail
> >>>directory service access  success and fail
> >>>logon events         success and fail
> >>>object access        fail
> >>>policy change        success and fail
> >>>privilege use        fail
> >>>system events        success and fail
> >>>
> >>>I have checked EventLogs.  No other admins are saying
> >>>they've done anything.  I recently rebooted a Windows
> >2003
> >>>DC and when I went to log back on I was told my password
> >>>had expired.
> >>>
> >>>Today I did promote a Windows 2003 machine as a domain
> >>>controller but we have several 2000 and 2003 DC's.
> >>>
> >>>I just don't understand how password complexity is
> >enabled
> >>>when its not turned on in Group Policy.
> >>>
> >>>>-----Original Message-----
> >>>>Are you auditing anything? Have you checked your Event
> >>>Logs? What were you
> >>>>doing when this happend? Any other Admins at your place
> >>>making changes?
> >>>>
> >>>>-- 
> >>>>Scott Harding
> >>>>MCSE, MCSA, A+, Network+
> >>>>Microsoft MVP - Windows NT Server
> >>>>
> >>>>"Todd S" <toddflbass@{ihatespam}yahoo.com> wrote in
> >>>message
> >>>>news:2b7eb01c4690a$77ebad60$a601280a@phx.gbl...
> >>>>> Ok.  All the passwords for all domain accounts just
> >>>>> expired and now are required to use password
> >>complexity.
> >>>>> I check my GPO's and password complexity is not
> >>enabled.
> >>>>> I am not sure what just happened.  Any help would be
> >>>>> greatly appreciated.  Thanks.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Todd
> >>>>
> >>>>
> >>>>.
> >>>>
> >>>
> >>>
> >>>.
> >>>
> >>
> >>
> >>.
> >>
> >.
> >

• Next message: Cary Shultz [A.D. MVP]: "Re: Updates done without SUS Server"
• Previous message: CP: "Advise Needed on AD Backup"
• In reply to: Todd S: "Re: What Happened? Passwords all expired..."
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint