Re: User accounts are being locked out
From: Ira Schmidt (Schmidt_at_discussions.microsoft.com)
Date: 10/22/04
- Next message: RWC: "Re: Changing the domain name without re-creating ADS"
- Previous message: Joe: "How do i let a win95 machine access a folder on a win2003 server"
- In reply to: Todd J Heron: "Re: User accounts are being locked out"
- Next in thread: Glenn L: "Re: User accounts are being locked out"
- Reply: Glenn L: "Re: User accounts are being locked out"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 22 Oct 2004 15:33:04 -0700
The problem has been going on for the last two and half weeks and has even
happened during the middle of the night when there is no one on the network.
There are about 95 PCs in the network and we have physically disconnected all
network ports that are not in use, and any one who brings in a laptop has to
contact the IT dept. to get a live connection. We suspected a couple of
vendor PCs, but shut those down and the problem still persisted. The lockouts
will occur randomly for several hours and stop for as much as 36 hours. I am
suspecting that a PC somewhere has a trojan that is attempting to log on to
the accounts in order to find a weak password. The lockouts usually occur
with a group of user accounts that are listed alphabetically in User manager.
I have the password policy set to allow seven password attempts before
locking the account. All of our Win2k servers are at SP 4 and the domain
controllers for the NT domain have the security patches that are as recent as
last week. Some of the accounts that are being locked out are owners of
mailboxes that are used internally in the company to store email messages
related to business partners and are never used to actually log on to the
network.
"Todd J Heron" wrote:
> The computer name changing randomly looks like it is due to computers
> dropping in and out of the browse list. Could be laptop users. You might
> want to be concerned with who these laptop users are. Travelling Sales
> force? Telecommuters? Students? Think about that for a little it then
> review my "cookbook" recipe for determining the source of the lockout
> problem on multiple accounts.
>
> Lockouts are common when there are replication problems between the PDC and
> BDCs. Open Server Manager > highlight the PDC > click on Computer >
> Synchronize the entire domain > check the system log of the Event Viewer on
> all DCs to determine whether synchronization was successful.
>
> Password Policy and Account Lockout Policy are both domain-wide policies, so
> if only a small number of users are affected, it's unlikely that the policy
> itself is the problem. (For a single user, continous lock-out situation, I
> always suggest that they find all workstations they have logged into
> recently and close Outlook, because it caches the password of the logged in
> account, and if it changes, then the old credentials will be denied and
> cause a domain controller to lock the account out based on bad password
> attempts). Look for a scheduled task or service running using the old
> password. It's also possible that some application or mapped drive is
> caching the old password. This can especially be a problem if users are
> logged into multiple machines. Here's an example scenario: User1 logs into
> machineA and machineB. User1 changes his password on machineA, but fails to
> logout of machineB. MachineB's antivirus software wakes up and attempts to
> download updated signature files located on a network share. MachineB's
> antivirus process cannot connect to the network share since User1's
> credentials on MachineB are now invalid, but continues to attempt to the
> network resource 3 times before giving up, which inadvertently locks out
> User1's account from MachineB. This scenario would be avoided simply by
> logging out of machineB and logging back into machineB once User1 updates
> his password from MachineA. Without knowing your current policy settings
> are, you may want to consider changing them, at least temporarily while
> troubleshooting. For example, increase the number of bad password logon
> attempts to 10 in 30 minutes, and unlock at 30 minutes. And check in all
> event logs on the DC's for any clues, and get the exact error message when
> this happens. If you decide to open an incident for this, this info will
> help the engineer assist you. Also, all Windows 2000 servers and
> workstations should be on Service Pack 3, if not already, because there were
> a number of fixes included in SP3 for lockout issues.
>
> 1) Get all NT 4.0 DC's out of environment as soon as possible if it is a
> mixed environment
> 2) Make sure all Win2k DC's have latest service pack (since many account
> lockout issues areresolved in SP2 , SP3)
> 3) Validate the account lockout policy settings on the Win2k domain
> 4) Is Web Sense installed anywhere on the network? Web Sense sends a logon
> prompt when accessing the web. An option is available to save password for
> this dialog and this is known to cause lock-out issues.
> 5) See: HOW TO: Prevent Network Share Shortcuts from Being Added to My
> Network Places http://support.microsoft.com/?id=242578
> 6) Check for persistent drive mappings using saved account\password.
> Increased Account Lockout Frequency in Windows 2000 Domain:
> http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b264678
> 7) Click here for a Account Lockout Status tool which will show the lockout
> status across a domain for a particular user:
>
> L:\Utils\acctlockouttool.zip
>
> Reference:
> Verifying Domain Netlogon Synchronization
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q149664
>
> Account Lockouts and 5711 Events on the PDC
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q191828
>
> Using the Checked Netlogon.dll to Track Account Lockouts
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q189541
>
> --
> Todd J Heron, MCSE
> Windows 2003/2000/NT
>
> "Ira Schmidt" <Ira Schmidt@discussions.microsoft.com> wrote in message
> news:D3C11A5D-7B22-45BB-A913-E15D53793AD3@microsoft.com...
> > User accounts are being locked out randomly in an NT domain. It appears
> > that
> > they are being locked out from computer names that do not exist on the
> > domain. The computer name changes randomly and has used names like
> > \\palnet
> > or \\acs and the names change every few days. Is there a way to find out
> > where these logon attempts are coming from? I have checked Wins manager
> > and
> > dhcp manager without finding the computer names. I suspect a trojan is
> > installed on one of the computers in the domain. I am migrating users to
> > Acitve Directory and those accounts are not effected.
>
>
>
- Next message: RWC: "Re: Changing the domain name without re-creating ADS"
- Previous message: Joe: "How do i let a win95 machine access a folder on a win2003 server"
- In reply to: Todd J Heron: "Re: User accounts are being locked out"
- Next in thread: Glenn L: "Re: User accounts are being locked out"
- Reply: Glenn L: "Re: User accounts are being locked out"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
