Re: Windows server account always gets locked - repost

From: "Todd J Heron" <todd_heron(delete)@hotmail.com>
Date: Sun, 23 Oct 2005 01:36:34 -0400

This is my "cookbook" recipe for determining the source of the lockout
problem on multiple accounts.

In the NT 4.0 days, lockouts were common when there were replication
problems between the PDC and BDCs. Open Server Manager > highlight the PDC
> click on Computer > Synchronize the entire domain > check the system log
of the Event Viewer on all DCs to determine whether synchronization was
successful. Those were the NT 4 days though....

In Active Directory, Password Policy and Account Lockout Policy are both
domain-wide policies, so if only a small number of users are affected, it's
unlikely that the policy itself is the problem. Without knowing your
current policy settings are, you may want to consider changing them, at
least temporarily while troubleshooting. For example, increase the number
of bad password logon attempts to 10 in 30 minutes, and unlock at 30
minutes. And check in all event logs on the DC's for any clues, and get the
exact error message when this happens. Also, if running Windows 2000, all
servers and workstations should be on Service Pack 3, if not already,
because there were a number of fixes included in SP3 for lockout issues.

1) Get all NT 4.0 DC's out of environment as soon as possible if it is a
mixed environment
2) Make sure all Win2k or K3 DC's have latest service pack (since many
account lockout issues are resolved in SP2 , SP3)
3) Validate the account lockout policy settings on the Win2k domain
4) Is Web Sense installed anywhere on the network? Web Sense sends a logon
prompt when accessing the web. An option is available to save password for
this dialog and this is known to cause lock-out issues.
5) See: HOW TO: Prevent Network Share Shortcuts from Being Added to My
Network Places http://support.microsoft.com/?id=242578
6) Check for persistent drive mappings using saved account\password.
Increased Account Lockout Frequency in Windows 2000 Domain:
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b264678

.

References:
- Windows server account always gets locked
  - From: trox
- Re: Windows server account always gets locked
  - From: Miha Pihler [MVP]
- Re: Windows server account always gets locked
  - From: trox
- Re: Windows server account always gets locked - repost
  - From: trox

Prev by Date: Re: How to use sub-domain
Next by Date: Re: HELP! Data recovery off Win 2003 software RAID 5
Previous by thread: Re: Windows server account always gets locked - repost
Next by thread: windows server accounts always gets locked
Index(es):
- Date
- Thread

Relevant Pages

Re: User accounts are being locked out
... I think your best bet is to get network monitor (or your favorite flavor of ... >> Password Policy and Account Lockout Policy are both domain-wide policies, so>> if only a small number of users are affected, it's unlikely that the policy>> itself is the problem. ... User1 changes his password on machineA, but fails to>> logout of machineB. ...
(microsoft.public.windows.server.general)
Re: Username Vulnerability???
... Open Server Manager> highlight the PDC ... Password Policy and Account Lockout Policy are both ...
(microsoft.public.windows.server.general)
Re: OU group policy and how to use ldapsearch to find GPO settings
... The account is a domain account. ... Account Policies effective for all domain accounts. ... Your ldap query is seeing the settings that are in use for the domain. ... If I configure the account lockout policy in the default domain policy, ...
(microsoft.public.windows.group_policy)
Re: Replication of password resets/unlocks
... Assuming that the reg key AvoidPDCOnWan isn't set passwords will be sent immediately out of band to the PDC when changed on a local machine. ... I haven't dug into the specifics but I believe that occasionally it will check with the PDC to see if the account has been unlocked but not for every auth attempt, this is so a PDC will not be overwhelmed by attempts to auth a locked account. ... The idea behind auto lockout is to prevent brute force systems from sending thousands of passwords an hour to crack a password, if that is the case, then setting the lockout policy to 25 bad attempts and locking the account out for say 5 minutes is just as good from a security perspective; it will seriously impact the ability for a brute force attack. ... From the usability standpoint, it will only lockout users who have really screwed up with their password and give them just enough time to realize they really screwed up but take less time than a call to the helpdesk for an unlock and replication of the unlock meaning that if they call the helpdesk for a rest, the only mechanism that comes into play is the one in the first paragraph above which works fine. ...
(microsoft.public.windows.server.active_directory)
Re: 2003 Server Client/Delegation and Data Issues
... "reveal" the read and write lockout time permissions. ... I have an account that I ... default - no mention of domain users. ...
(microsoft.public.windows.server.active_directory)