Re: Account lockout every hour

From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
Date: Fri, 5 May 2006 14:13:11 -0500

You only got a single instance of this error? You should at least be seeing
this multiple times to just get the lockout.

I don't see how this is even possible. Wow! I'm not sure what to tell you.

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

"Anastasios Papadopoulos" <tpapad@xxxxxxxxxxxxxxxxxxx> wrote in message
news:jcdsi3-a41.ln1@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Paul Bergson wrote:

Are you logged into more than one machine? Usually what happens is a
user has mapped drives to a resource from one machine, on a different
machine he changes his password and then the first machine attempts to
stay mapped to a drive and the password is no longer correct and
eventually locks the user out.

To help try and track down where the account is getting locked out use
eventcomboMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the
created text files for the user in question.

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e

Thank you very much for your time Paul.

As an administrator, I logon quite a few times a day to various machines,
especially on servers (by RDP). The lockout events happen on our PDC. The
thing is, even since I:
-Logged Off from all machines
-Changed my password
-Removed all drive maps
...the lockout still happens.

I mean, even if we accept that happend what you described (suppose I
changed my passwd at a very bad time), why is this still happening? Even
server reboot didn't help...

I have just run the tool you suggested but it show anything more than I
already knew. Any way, this is all I managed to get:

552,AUDIT SUCCESS,Security,Fri May 05 19:11:32 2006,NT
AUTHORITY\SYSTEM,Logon attempt using explicit credentials: Logged on
user: User Name: PDC$ Domain: MYDOM Logon ID: (0x0,0x3E7)
Logon GUID: {5450dWWW-74ed-WWWW-759d-c115b8ecWWWW} User whose
credentials were used: Target User Name: MyUserName Target Domain:
MYDOM Target Logon GUID: - Target Server Name: PDC.MYDOM.local
Target Server Info: PDC.MDOM.local Caller Process ID: 2360 Source
Network Address: - Source Port: -

Process 2360 is tcpsvcs.exe

Follow-Ups:
- Re: Account lockout every hour
  - From: Anastasios Papadopoulos

References:
- Account lockout every hour
  - From: Anastasios Papadopoulos
- Re: Account lockout every hour
  - From: Paul Bergson
- Re: Account lockout every hour
  - From: Anastasios Papadopoulos

Prev by Date: 1030 / 40961 / 673 on DC - MVP wanted
Next by Date: Re: ADAM access fails when authenticating w/ credentials from user within ADAM
Previous by thread: Re: Account lockout every hour
Next by thread: Re: Account lockout every hour
Index(es):
- Date
- Thread

Relevant Pages

Re: Username Vulnerability???
... Open Server Manager> highlight the PDC ... Password Policy and Account Lockout Policy are both ...
(microsoft.public.windows.server.general)
Re: OU group policy and how to use ldapsearch to find GPO settings
... The account is a domain account. ... Account Policies effective for all domain accounts. ... Your ldap query is seeing the settings that are in use for the domain. ... If I configure the account lockout policy in the default domain policy, ...
(microsoft.public.windows.group_policy)
Re: Replication of password resets/unlocks
... Assuming that the reg key AvoidPDCOnWan isn't set passwords will be sent immediately out of band to the PDC when changed on a local machine. ... I haven't dug into the specifics but I believe that occasionally it will check with the PDC to see if the account has been unlocked but not for every auth attempt, this is so a PDC will not be overwhelmed by attempts to auth a locked account. ... The idea behind auto lockout is to prevent brute force systems from sending thousands of passwords an hour to crack a password, if that is the case, then setting the lockout policy to 25 bad attempts and locking the account out for say 5 minutes is just as good from a security perspective; it will seriously impact the ability for a brute force attack. ... From the usability standpoint, it will only lockout users who have really screwed up with their password and give them just enough time to realize they really screwed up but take less time than a call to the helpdesk for an unlock and replication of the unlock meaning that if they call the helpdesk for a rest, the only mechanism that comes into play is the one in the first paragraph above which works fine. ...
(microsoft.public.windows.server.active_directory)
Re: 2003 Server Client/Delegation and Data Issues
... "reveal" the read and write lockout time permissions. ... I have an account that I ... default - no mention of domain users. ...
(microsoft.public.windows.server.active_directory)
Re: lockaccount flag in userAccountControl does not change
... Neither has explicit support for dealing with lockout though. ... The IADsUser interface in ADSI attempts to support it, ... checks to see if lockoutTime has a value or not and assumes the account is ... For more information on unlock, ...
(microsoft.public.windows.server.active_directory)