RE: Please help me, it is highly Urgent.............
- From: Abhi <Abhi@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 31 Jul 2007 01:42:09 -0700
Ryan,
Thanks a lot for your response it is appreciated. I was going through the
netlogon logging, one thing I have noticed is
Transitive Interactive logon <domain>\user1 <computer name> (via computer
name) 0xC0000064
I know 0xC0000064 means the user account does not exist , but what does it
really meant?
Also I have seen Transitive Network Logon shows 0xC0000234
like
LOGON] SamLogon: Transitive Network logon of <domain>\<username> from
<computername> (via PROXYSRV) Returns 0xC0000234
What does it really meant, does it mean the account was loked while the user
was trying to login to proxy server, or the account was locked prior to
accessing the proxysrv
"Ryan Hanisco" wrote:
Hi Abhi,.
By Number:
1. You are in the right place with the lockout tools. If it is something
common you should be able to find it that way. It would seem that you have
already identified that it is from certain machines rather than from a single
source. You might not be able to narrow it down farther easily.
2. I don't think 5 is terribly low, though knowing people, they'll sometimes
try it a few times before calling the help desk. A value of 10 will let you
avoid those lockouts, but is way below the threshold of you have an automated
program doing a dictionary attack. You have to evaluate the amount of risk
that you are willing to take, but neither 5 nor 10 seem unreasonable.
3. Persistent drive mappings or mappings done with the username and password
in the setup might trigger a lockout event when it connects with the drive.
This would be when it boots, runs the script, or connects to the resource.
This doesn't appear to be what you're seeing.
If you haven't just had a bunch of passwords change, installed new software,
or modified the security policy, I would think that you've got some kind of
virus or malware running around. It is fairly easy to generate a list of
users and then the program is free to try new passwords until one works.
Other than that, you'd expect the requests to be coming from servers or web
resources.
Good Luck.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
Chicago, IL
Remember: Marking helpful answers helps everyone find the info they need
quickly.
"Abhi" wrote:
Hi All,
We are in Windows 2000 mixed mode. User accounts are on Child domain. Now a
days there is a huge increase in the number of account lockout calls that
the
helpdesk is receiving.
The settings are like this,
Account lockout duration = 0 (an administrator must unlock the account)
Account lockout threshold = 5 invalid logon attempts
Reset account lockout counter after = 15minutes
I have tried to use account lockout tools to find out the root cause. I
found that subsequent wrong credentials are being passed by the end users
but
according to them they have typed the password only once, it is also noted
that while they are working all of a sudden their accounts are getting
locked out!
I have enabled netlong logging on PDC Emulator but it did not give any hint.
I was also referring to the technet article,
http://technet2.microsoft.com/windowsserver/en/library/f3abc878-3eab-4eaf-9bff-9f0d058d4fc31033.mspx?mfr=true
there are a few things I want to clarify,
Article says Many programs cache credentials or keep active threads that
retain the credentials after a user changes their password.
1)How do I find out the applications which are creating problems? May be IE
if the user selects the option save password), can anyone help me in this?
2)Bad Password Threshold is set too low: This is one of the most common
misconfiguration issues. Many companies set the Bad Password Threshold
registry value to a value lower than the default value of 10. If you set
this
value too low, false lockouts occur when programs automatically retry
invalid
passwords. Microsoft recommends that you leave this value at its default
value of 10. For more information, see "Choosing Account Lockout Settings
for
Your Deployment" in this document.
In our environment Bad Password Threshold is set to 5. But my question is
regarding the value 10 which is given in the article. Is there any specific
reason why a value of 10 is recommended? and what does it mean by false
lockout?
3)Persistent drive mappings: Persistent drives may have been established
with credentials that subsequently expired. If the user types explicit
credentials when they try to connect to a share, the credential is not
persistent unless it is explicitly saved by Stored User Names and Passwords.
Every time that the user logs off the network, logs on to the network, or
restarts the computer, the authentication attempt fails when Windows
attempts
to restore the connection because there are no stored credentials.
Who does net use differ by map network drive from GUI?
Is persistent drive mappings are not recommended?
One more thing I have noticed is that these issues are coming from Windows
2000 professional with SP4, not from XP professional and our DCs are Windows
2000 with SP4.
Any help and pointers are highly appreciated.
- References:
- Please help me, it is highly Urgent.............
- From: Abhi
- RE: Please help me, it is highly Urgent.............
- From: Ryan Hanisco
- Please help me, it is highly Urgent.............
- Prev by Date: nt 4.0 and Active directory in NATIVE MODE
- Next by Date: Re: moving active directory from win2k to a new server win2003
- Previous by thread: RE: Please help me, it is highly Urgent.............
- Next by thread: Re: Please help me, it is highly Urgent.............
- Index(es):
Relevant Pages
|
