Re: How to find where a username is trying to log on from
- From: "Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Fri, 15 Feb 2008 07:52:12 -0600
Is the account logged into more than one machine or is it running a service
on the same machine? A user could have mapped drives to a resource from one
machine, on a different machine he changes his password and then the first
machine attempts to stay mapped to a drive and the password is no longer
correct and eventually locks the user out. Or after a password is changed a
service is running that attempts to authenticate with an old password.
To help try and track down where the account is getting locked out use
eventcombMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the created
text files for the user in question.
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
You can also set the debug flag on NetLogon to track authentication. "This
creates a text file on the PDC that can be examined to determine which
clients are generating the bad password attempts."
http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"gbug" <gbug@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:22F20B77-7859-4A9F-B9D5-F2C7E007C4DC@xxxxxxxxxxxxxxxx
Hi all, i am having many problems with my AD. Continuously throughout the
day
i receive event stating: "Active Directory could not update the following
object with changes received from the domain controller at the following
network address because Active Directory was busy processing
information.",
and this one as well "The SAM database was unable to lockout the account
of
'username' due to a resource error, such as a hard disk write failure (the
specific error code is in the error data) . Accounts are locked after a
certain number of bad passwords are provided so please consider resetting
the
password of the account mentioned above."
Both events have to do with the same account - our main administrator
account. I want to find out where this account is logged onto, and where
logon requests are coming from. I am trying to figure out why these error
messages are occuring, and potentially remove this admin account from
running
any services, etc.
.
- Prev by Date: Re: Upgrading to Windows Server 2008
- Next by Date: Creating Static Routes with DHCP
- Previous by thread: GPO in Macintosh
- Next by thread: Creating Static Routes with DHCP
- Index(es):
Relevant Pages
|
