Re: access granted after lock out

From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
Date: Tue, 5 Dec 2006 17:57:33 -0000

Hi
There many reasons that can cause an account to lockout.
For instance: you changed the password of a given user and if the user is logged on in more than one machine with the old password using connected mapped drives or outlook, or maybe some services using the old password trying to run, user having saved their previous password to some resource that requires authentication, etc...
In this situations if you change the PW the services, or the users that are still logged on still try to use the old PW causing the lockout.
To troubleshoot and re-check your policy take a look at:
Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
Account Lockout and Management Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
--
*************************************************
I hope that the information above helps you
Good Luck

Jorge Silva

MCSA + Exchange + MSCE
*************************************************

"r. wales" <rwales@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:1BBD9557-06C1-402A-A122-DF57202B12BA@xxxxxxxxxxxxxxxx

I had an interesting thing happen this morning. While reviewing security
logs, I found many entries for a user account failed logon due to account
lock out. I went to speak to the user in question to let them know I would
take care of it (I had not received a call yet). When I got to her office,
she was up and running and had Outlook running. I checked AD again and the
account was flagged as locked out. I went through the logs of all three
domain controllers and there was no successful logon for this user. On our
primary DC, I can see where her machine authenticated and then the many, many
failed logons for her account (all 0x12 failure codes). My question... How
did this happen?

Without resetting her account, I had her log out, restart her computer and
log in again hoping to see a message of some sort. When she tried to log in
she was given the notice that her account was locked out. This is raising
concerns about the security of our domain. Hope you can help.

Follow-Ups:
- Re: access granted after lock out
  - From: r. wales

Prev by Date: Re: ADAM Authentication
Next by Date: Re: Trouble sharing a file
Previous by thread: Re: GPO Access is Denied Messages on DC
Next by thread: Re: access granted after lock out
Index(es):
- Date
- Thread

Relevant Pages

Re: Account Lockout
... Enable auditing and look for lockout ... From the lockout events, determine which clients they originate from. ... >>> Do this via a GPO and watch for failed logon attempts. ... I have a user's account that is getting ...
(microsoft.public.win2000.active_directory)
Re: Username Vulnerability???
... Open Server Manager> highlight the PDC ... Password Policy and Account Lockout Policy are both ...
(microsoft.public.windows.server.general)
Re: Account locking out
... lockout events ID's that it may show the user account name and computer ... account management enabled in Domain Controller Security Policy also. ... logging on your domain controllers starting with the pdc fsmo. ...
(microsoft.public.win2000.security)
Re: OU group policy and how to use ldapsearch to find GPO settings
... The account is a domain account. ... Account Policies effective for all domain accounts. ... Your ldap query is seeing the settings that are in use for the domain. ... If I configure the account lockout policy in the default domain policy, ...
(microsoft.public.windows.group_policy)
Re: Replication of password resets/unlocks
... Assuming that the reg key AvoidPDCOnWan isn't set passwords will be sent immediately out of band to the PDC when changed on a local machine. ... I haven't dug into the specifics but I believe that occasionally it will check with the PDC to see if the account has been unlocked but not for every auth attempt, this is so a PDC will not be overwhelmed by attempts to auth a locked account. ... The idea behind auto lockout is to prevent brute force systems from sending thousands of passwords an hour to crack a password, if that is the case, then setting the lockout policy to 25 bad attempts and locking the account out for say 5 minutes is just as good from a security perspective; it will seriously impact the ability for a brute force attack. ... From the usability standpoint, it will only lockout users who have really screwed up with their password and give them just enough time to realize they really screwed up but take less time than a call to the helpdesk for an unlock and replication of the unlock meaning that if they call the helpdesk for a rest, the only mechanism that comes into play is the one in the first paragraph above which works fine. ...
(microsoft.public.windows.server.active_directory)