Re: access granted after lock out
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Wed, 6 Dec 2006 20:25:25 -0000
weird....
Check:
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
http://technet2.microsoft.com/WindowsServer/en/library/35958fa8-2e47-4cf9-9f11-5095e5b5525e1033.mspx?mfr=true
User is not alerted when logging on with domain cached credentials
http://support.microsoft.com/kb/242536
You cannot log on to a computer that is using cached credentials after you change your password by using a domain controller
http://support.microsoft.com/kb/818088
Note: The user is only able to use cached Credentials if the DC(s) aren’t available.
For example: if 1 DC is online and the machine can reach to that DC, but that DC isn’t a GC and if a GC is needed to logon then you’ll receive an error and you’re not able to logon.
--
*************************************************
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA + Exchange + MSCE
*************************************************
"r. wales" <rwales@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:E625CC70-7A26-4D43-8E2B-341447AEFDE2@xxxxxxxxxxxxxxxx
The 3 attempts thing has been working well for us. We have a few lockouts at
password change, but not as many as you might think. She is logging onto our
PDC. I checked all three DC's to make sure we were replicating properly and
her account was locked out on all three. She was still allowed to log on.
How can I tell or prevent her from using cached credentials?
Thanks for all your help on this.
"Jorge Silva" wrote:
3 attemps!!! that's to short my friend... You probably end up with many
locked accounts when user's pw changes...
Please correct me if I'm wrong, you're saying that she's able to logon with
her account locked out?
Which DC is She using to logon (type from cmd -> set LOGONSERVER), check if
that DC has her account locked out.
Also be sure that she isn't using cached credentials.
--
*************************************************
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA + Exchange + MSCE
*************************************************
"r. wales" <rwales@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0FE480ED-6206-44EA-8A8E-29B9D5A64744@xxxxxxxxxxxxxxxx
> Thanks, Jorge.
> I know why the account was locked out. It seems that yesterday > afternoon
> she fat fingered her password when returning to her locked desktop. We
> lock
> out accounts after three attempts and require Admin to unlock. (my > logs
> show
> this attempt and lockout activity) She then tried again and was > allowed
> in
> and finished out her day. She then shut down and went home. This > leads
> us
> to this morning where she was allowed on even though her account was
> locked
> out. I do not know if she tried to access network resources or if she > had
> only launched outlook when I had her restart. Regardless, and correct > me
> if
> I am wrong, the AD behavior should have been to deny her the ability to
> log
> on; which it did after the machine restarted and I was watching. What > I
> can't figure out is how she was allowed on yesterday afternoon and
> initially
> this morning. No matter what I try, I can't seem to reproduce the
> situation.
> I'm getting close to pulling hair out.
>
> "Jorge Silva" wrote:
>
>> Hi
>> There many reasons that can cause an account to lockout.
>> For instance: you changed the password of a given user and if the user >> is
>> logged on in more than one machine with the old password using >> connected
>> mapped drives or outlook, or maybe some services using the old >> password
>> trying to run, user having saved their previous password to some >> resource
>> that requires authentication, etc...
>> In this situations if you change the PW the services, or the users >> that
>> are
>> still logged on still try to use the old PW causing the lockout.
>> To troubleshoot and re-check your policy take a look at:
>> Account Passwords and Policies
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
>> Account Lockout and Management Tools
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
>> -- >> *************************************************
>> I hope that the information above helps you
>> Good Luck
>>
>> Jorge Silva
>>
>> MCSA + Exchange + MSCE
>> *************************************************
>>
>> "r. wales" <rwales@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:1BBD9557-06C1-402A-A122-DF57202B12BA@xxxxxxxxxxxxxxxx
>> >I had an interesting thing happen this morning. While reviewing
>> >security
>> > logs, I found many entries for a user account failed logon due to
>> > account
>> > lock out. I went to speak to the user in question to let them know >> > I
>> > would
>> > take care of it (I had not received a call yet). When I got to her
>> > office,
>> > she was up and running and had Outlook running. I checked AD again >> > and
>> > the
>> > account was flagged as locked out. I went through the logs of all
>> > three
>> > domain controllers and there was no successful logon for this user. >> > On
>> > our
>> > primary DC, I can see where her machine authenticated and then the
>> > many,
>> > many
>> > failed logons for her account (all 0x12 failure codes). My >> > question...
>> > How
>> > did this happen?
>> >
>> > Without resetting her account, I had her log out, restart her >> > computer
>> > and
>> > log in again hoping to see a message of some sort. When she tried >> > to
>> > log
>> > in
>> > she was given the notice that her account was locked out. This is
>> > raising
>> > concerns about the security of our domain. Hope you can help.
>>
>>
.
- References:
- Re: access granted after lock out
- From: Jorge Silva
- Re: access granted after lock out
- From: r. wales
- Re: access granted after lock out
- From: Jorge Silva
- Re: access granted after lock out
- From: r. wales
- Re: access granted after lock out
- Prev by Date: Re: Rollback Solution / Password Reset
- Next by Date: Re: Backing Up Active Directory
- Previous by thread: Re: access granted after lock out
- Next by thread: Re: Trouble sharing a file
- Index(es):
Relevant Pages
|
Loading
