Re: DC in remote site locking one user account
- From: "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx>
- Date: Fri, 2 Sep 2005 00:57:50 -0400
In news:3FE04001-9FAD-413E-815B-0D25A0DFE1C3@xxxxxxxxxxxxx,
Rob Taylor <RobTaylor@xxxxxxxxxxxxxxxxxxxxxxxxx> made this post, which I
then commented about below:
> I have a funny issue where one of my Domain Controllers is locking a
> user account over and over.
>
> Config:
> I have a simple three site config with one domain controller in each
> site.
> I know...we could use some additional domain controllers...but money
> is tight. Let's call the three sites: Site-A, Site-B and Site-C.
> Respectively we have DC-A, DC-B, and DC-C. I have determined DC-C is
> the server having the issue. All DCs are running 2003 SP1. The user
> works in Site-A.
>
>
> I have researched/tried the following to remedy the issue:
>
> I am certain the user does not have an active session with an old
> password on any Terminal Servers in use.
>
> I have tried resetting the user account and password directly on each
> domain controller in the domain.
>
> I have tried setting the password to never expire.
>
> I have disabled and re-enabled the user account. These changed all
> get replicated properly. Replication tests all seem to work properly.
>
> I have noticed that unlocking the user account on DC-C only works
> briefly (1-20 seconds) before the server locks it again. I have also
> noticed that if I reset the account continuously on DC-C I can
> prevent the user account from being locked out on all other DCs. This
> is not how I like to spend my day, but it proves that DC-C is the
> source of the problem. It appears DC-C has a corrupt copy of the AD
> dB or at least this user's entry in the AD dB on DC-C is partially
> corrupt.
>
> Anyway...I have also tried the following trick:
>
> I made a copy of the user account and deleted the original and then I
> confirmed the original user account was no longer stored on any of
> the other Domain Controllers and then I tried re-creating the user
> account as it was by making a copy of the copy but using all of the
> same original user info. As soon as I re-created the account....DC-C
> started locking it up again. Talk about frustrating!
>
> So I am throwing this question to you.... How I fix this? Do I need
> to run ADSI edit and make some weird change for this user? What
> other steps can I take?
Just a guess, but it sounds like a service or app is using the account for
startup logon and the password was changed on the account, but not in the
service or app. Unless someone's hammering it one way or another or coming
thru a website on the machine or in the domain, such as maybe OWA. Put it
this way, it's being locked because something is trying to use it. Any app
or service won't use the SID to lookup the account, that's just for
accessing resourses and domain authentication functionality, so that's why
it locks up again, it's using the logon alias.
--
Regards,
Ace
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
.
- Follow-Ups:
- Re: DC in remote site locking one user account
- From: Rob Taylor
- Re: DC in remote site locking one user account
- References:
- DC in remote site locking one user account
- From: Rob Taylor
- DC in remote site locking one user account
- Prev by Date: RE: Lockdown computer
- Next by Date: Re: csvde + displayName
- Previous by thread: DC in remote site locking one user account
- Next by thread: Re: DC in remote site locking one user account
- Index(es):
Relevant Pages
|
