Re: Password Expiration
- From: "Robert Zahm" <robzahm@xxxxxxxxxxx>
- Date: Mon, 31 Oct 2005 12:25:28 -0600
Charles,
I am not too concerned about those 529 events, since there were only 2 of
them, and I think they were from mistyped passwords (since one of them was
mine).
The other thing that I failed to mention is that we had some issues when
moving the profiles over to our new SBS domain. Is it possible that profile
sharing issues might be responsible for these errors? It still doesn't make
sense to me that the DC cannot update the group policy though...
Thanks,
Rob
""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:j$wHGld3FHA.3220@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> Thanks for updates.
>
> From your log files, we found every thing should be run in a normal
> situation. Your user have logon and log off session normally, For your
> convenience, I suggest you refer to the information below about security
> fields on Windows 2003:
>
> For Event ID 528, I recommend you to check the following KB articles:
>
> 287537 Using Basic authentication to generate Kerberos tokens
> http://support.microsoft.com/default.aspx?scid=kb;en-us;287537
>
>
> 274176 Security Event for Associating Service Account Logon Events
> http://support.microsoft.com/default.aspx?scid=kb;en-us;274176
>
>
> For Event ID 529, these KB articles may help:
>
> 328720 Calls to the Server.CreateObject method on separate ASP pages may
> fail if you store a remote COM+ object in a session variable and you are
> using IIS 5.0
> http://support.microsoft.com/default.aspx?scid=kb;en-us;328720
>
>
> 811082 Security Event 529 Is Logged for Local User Accounts
> http://support.microsoft.com/default.aspx?scid=kb;en-us;811082
>
>
> Kerberos Event ID: 529 is logged when you use a local user account to
> verify security access or group membership on a Windows Server 2003-based
> Kerberos client
> http://support.microsoft.com/default.aspx?scid=kb;en-us;890477
>
> 272594 Problems logging on to a Windows 2000-based server or a Windows
> 2003-based server
> http://support.microsoft.com/default.aspx?scid=kb;en-us;272594
>
>
> Cannot Automatically Log on Remotely to Terminal Server with Long User
> Name
> or Password
> http://support.microsoft.com/default.aspx?scid=kb;en-us;290706
>
> 305822 Failure Events Are Logged When the Welcome Screen Is Enabled
> http://support.microsoft.com/default.aspx?scid=kb;en-us;305822
>
>
> Personally, I think if the SBS computer is connected to the internet, many
> hacker activities may cause Event ID 529 etc. I recommend you to read the
> following white paper and make sure your server is secure.
>
> Threats and Countermeasures: Security Settings in Windows Server 2003 and
> Windows XP
> http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-
> 9346-F93A4081EEA8&displaylang=en
>
>
> Sometimes, third party application/services and virus/Spyware may also
> cause such issue; however, it will be difficult to isolate the root cause
> if this is the point. (I recommend you to check a clean installed SBS with
> secure settings applied.)
>
> More Info:
> 174073 Auditing User Authentication
> http://support.microsoft.com/default.aspx?scid=kb;en-us;174073
>
>
> 174074 Security Event Descriptions
> http://support.microsoft.com/default.aspx?scid=kb;en-us;174074
>
>
> 318253 Logoff event messages are not logged in the security log when you
> use the Audit Logon Events feature in Windows 2000
> http://support.microsoft.com/default.aspx?scid=kb;en-us;318253
>
>
> 326985 HOW TO: Troubleshoot Kerberos-Related Issues in IIS
> http://support.microsoft.com/default.aspx?scid=kb;en-us;326985
>
> Hope the above information helpful on your issue, please feel free to post
> back if you still have concerns. I am glad to be of further assistance.
>
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | X-Tomcat-ID: 35395219
> | References: <OcG325k2FHA.3420@xxxxxxxxxxxxxxxxxxxx>
> <Pt3yzDq2FHA.2904@xxxxxxxxxxxxxxxxxxxxx>
> <OyWz89z2FHA.3788@xxxxxxxxxxxxxxxxxxxx>
> | MIME-Version: 1.0
> | Content-Type: text/plain
> | Content-Transfer-Encoding: 7bit
> | From: v-chayan@xxxxxxxxxxxxxxxxxxxx ("Charles Yang [MSFT]")
> | Organization: Microsoft
> | Date: Fri, 28 Oct 2005 02:01:54 GMT
> | Subject: Re: Password Expiration
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | Message-ID: <LKEsVO22FHA.1144@xxxxxxxxxxxxxxxxxxxxx>
> | Newsgroups: microsoft.public.windows.server.sbs
> | Lines: 394
> | Path: TK2MSFTNGXA01.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:165348
> | NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
> |
> | HI Robert,
> |
> | Thanks for your detailed updates.
> |
> | Let me clarify it, the group policy error mostly been caused by the DNS
> is
> | not set up correctly, that why I suggest you check if the DNS on the
> TCP/IP
> | properties on all the network interface of SBS domain computer is point
> to
> | SBS internal NIC or you will encounter some problem.
> |
> | In order to make the issue more clearly, could you send the me all event
> | log so that we can identify the issue more clearly, please send to my
> | mailbox v-chayan@xxxxxxxxxxxxx
> | Thanks for your understanding and effort on this issue. I will be here
> | waiting for your updates.
> |
> |
> |
> | Best regards,
> |
> | Charles Yang (MSFT)
> |
> | Microsoft CSS Online Newsgroup Support
> |
> | Get Secure! - www.microsoft.com/security
> |
> | ======================================================
> | This newsgroup only focuses on SBS technical issues. If you have issues
> | regarding other Microsoft products, you'd better post in the
> corresponding
> | newsgroups so that they can be resolved in an efficient and timely
> manner.
> | You can locate the newsgroup here:
> | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> |
> | When opening a new thread via the web interface, we recommend you check
> the
> | "Notify me of replies" box to receive e-mail notifications when there
> are
> | any updates in your thread. When responding to posts via your
> newsreader,
> | please "Reply to Group" so that others may learn and benefit from your
> | issue.
> |
> | Microsoft engineers can only focus on one issue per thread. Although we
> | provide other information for your reference, we recommend you post
> | different incidents in different threads to keep the thread clean. In
> doing
> | so, it will ensure your issues are resolved in a timely manner.
> |
> | For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | check http://support.microsoft.com for regional support phone numbers.
> |
> | Any input or comments in this thread are highly appreciated.
> | ======================================================
> | This posting is provided "AS IS" with no warranties, and confers no
> rights.
> |
> |
> | =====================================================
> | When responding to posts, please "Reply to Group" via your newsreader so
> | that others may learn and benefit from your issue.
> | =====================================================
> |
> | This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|
> | --------------------
> | | From: "Robert Zahm" <robzahm@xxxxxxxxxxx>
> | | References: <OcG325k2FHA.3420@xxxxxxxxxxxxxxxxxxxx>
> | <Pt3yzDq2FHA.2904@xxxxxxxxxxxxxxxxxxxxx>
> | | Subject: Re: Password Expiration
> | | Date: Thu, 27 Oct 2005 16:43:35 -0500
> | | Lines: 314
> | | X-Priority: 3
> | | X-MSMail-Priority: Normal
> | | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | | X-RFC2646: Format=Flowed; Original
> | | Message-ID: <OyWz89z2FHA.3788@xxxxxxxxxxxxxxxxxxxx>
> | | Newsgroups: microsoft.public.windows.server.sbs
> | | NNTP-Posting-Host: 64-45-168-10.client.cypresscom.net 64.45.168.10
> | | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:165255
> | | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | |
> | | Charles,
> | |
> | | I am able to determine that they don't log out because I know that
> they
> | | don't physically log out when leaving for the day, and don't have to
> log
> | in
> | | when they arrive in the morning. They generally only log out when
> their
> | | passwords have expired and they can no longer access domain resources.
> | | There isn't a particular event that leads me to believe they aren't
> | logging
> | | out - I know for a fact that they don't, and I'm wondering if that is
> why
> | I
> | | am seeing the 1006 and 1030 errors on the domain controller.
> | |
> | | Event 1704 does not occur all that often on the DC, I included it so
> that
> | | you could see that it is capable of applying the domain security
> | sometimes,
> | | and it normally occurs a few hours before the other errors.
> | |
> | | Events 1006 and 1030 are occurring on the domain controller, not the
> | client
> | | machines, so the suggestion of removing them from the domain and
> adding
> | them
> | | back in doesn't seem to apply.
> | |
> | | I'm not sure why you included information regarding DNS updates, I ran
> | | "gpupdate" thinking that it would reapply the global policy, am I
> | incorrect
> | | in thinking this? Just the same, under "Forward Lookup Zones" I don't
> | see
> | | server.domain.local, but I do see _msdcs.domain local and
> domain.local.
> | | Both have "Dynamic Updates" set to "Secure Only."
> | |
> | | The "Distributed File System" service is running on the SBS2003 SP1
> | domain
> | | controller. I also do not see a "DisableDFS" value in the registry
> for
> | the
> | | client machines (WinXP SP2).
> | |
> | | Thanks for your help!
> | |
> | | Rob
> | |
> | |
> | | ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in
> message
> | | news:Pt3yzDq2FHA.2904@xxxxxxxxxxxxxxxxxxxxxxxx
> | | >
> | | > HI Robert.
> | | >
> | | > Thanks for using SBS newsgroup.
> | | >
> | | > Issue description:
> | | > ===============
> | | >
> | | > I understand that you are worry about the security issue on SBS
> domain,
> | | > due
> | | > to some users seems to logon SBS domain and never log off.
> | | >
> | | > Analyzing and suggestions:
> | | > ================
> | | >
> | | > Before we go any further, could you clarify from what event you
> | determine
> | | > the user logon to SBS domain and never log off? So that we can
> identify
> | | > the
> | | > detailed problem.
> | | >
> | | > Generally speaking, the event you paste is not related to security
> | issue,
> | | > it seems to be the group policy issue. Let me explain it one by one:
> | | >
> | | > Event 1704
> | | >
> | | > If the event did not occur very often, you do not need to care it,
> it
> | just
> | | > means the group policy is refresh, if it occurs frequently, please
> | refer
> | | > to
> | | > the suggestion below:
> | | >
> | | > This issue may occur if the registry information regarding Group
> Policy
> | | > refresh has been set inappropriately. Please perform the following
> | steps:
> | | >
> | | > 1. Open Registry Editor.
> | | > 2. Locate to the following key:
> | | >
> | | > a) HKLM\SOFTWARE\Microsoft\Windows
> | | >
> |
> NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
> | | > A}
> | | >
> | | > 2. Modify the Value MaxNoGPOListChangesInterval to 3c0
> | | >
> | | > This is the default value and it will reset "forced policy"
> | re-application
> | | > to 16 hours (960 minutes).
> | | >
> | | > For more detailed information regarding this value, please refer to
> the
> | | > following KB article:
> | | >
> | | > 277543 How to delay security policies from being applied
> | | > http://support.microsoft.com/?id=277543
> | | >
> | | > Error 1006 and 1030:
> | | >
> | | > Before we go any further, please make sure Do not do the same things
> to
> | | > the
> | | > computers which are not getting this events.
> | | >
> | | > 1. Please rejoin the domain follow my steps below, I understand that
> you
> | | > have do it but please double check it to make sure that you follow
> the
> | | > steps below to do it:
> | | >
> | | > Actually this issue can occur if the computer accounts for the
> computers
> | | > are corrupted. To resolve the issue, you should try the following
> steps
> | to
> | | > quit and rejoin in the domain (disjoining and joining):
> | | >
> | | > A. Quit the clients from the domain and join in a workgroup
> | (workgroups).
> | | >
> | | > B. Open the "Active Directory Users and Computers" snap-in
> (dsa.msc).
> | | >
> | | > C. Open the Computers or My Business\Computers\SBSComputers
> container.
> | | > Right click on a computer account and choose Delete. Do this for all
> the
> | | > problematic computers.
> | | >
> | | > D. Join the clients into the domain again.
> | | >
> | | > You should make sure all clients point to the SBS server's internal
> IP
> | | > address as their ONLY DNS server. Also both network adapters on the
> SBS
> | | > server are pointing to the SBS internal IP address of the only DNS
> | server.
> | | > In DNS, use forwarder to forward all name resolution requests to the
> | ISP's
> | | > DNS server. For more information, please refer to the following
> | Microsoft
> | | > Knowledge Base article:
> | | >
> | | > 825763 How to configure Internet access in Windows Small Business
> Server
> | | > 2003
> | | > http://support.microsoft.com/?id=825763
> | | >
> | | > Regarding how to check DNS for Dynamic Update, please run
> DNSMGMT.MSC
> to
> | | > open the DNS management console, right click on the
> | "server.domain.local"
> | | > forward lookup zone and choose Properties and then make sure the
> | "Dynamic
> | | > Updates" is set as "Secure Only". If you made change to the settings
> in
> | | > DNS, you should restart the DNS Server service (right click on the
> | server
> | | > name and choose All Tasks->Restart).
> | | >
> | | > Regarding the event 1030 problem, please make sure the "Distributed
> File
> | | > System" service is started on the server. Also make sure DFS Client
> is
> | | > turned on on the clients using the following steps:
> | | >
> | | > WARNING: If you use Registry Editor incorrectly, you may cause
> serious
> | | > problems that may require you to reinstall your operating system.
> | | > Microsoft
> | | > cannot guarantee that you can solve problems that result from using
> | | > Registry Editor incorrectly. Use Registry Editor at your own risk.
> | | >
> | | > 1. Click Start, and then click Run.
> | | >
> | | > 2. In the Open box, type "regedt32" (without the quotation marks),
> and
> | | > then
> | | > click OK.
> | | >
> | | > 3. In the Registry Editor window, locate the following registry key:
> | | >
> | | > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
> | | >
> | | > 4. In the right details pane, check if you see the "DisableDFS"
> value.
> | If
> | | > you cannot find it, DFS Client should be enabled. If you see it,
> | | > double-click DisableDFS. The DFS client is turned off if the value
> in
> | the
> | | > "Value data" box is 1. The DFS client is turned on if the value in
> the
> | | > "Value data" box is 0.
> | | >
> | | > 5. In the Edit DWORD Value dialog box that appears, type "0"
> (without
> | the
> | | > quotation marks) in the "Value data" box, and then click OK.
> | | >
> | | > 6. On the File menu, click Exit to quit Registry Editor.
> | | >
> | | >
> | | > Please do not hesitate to let me know if you have any further
> concerns.
> | I
> | | > will be here waitting for your updates.
> | | >
> | | >
> | | > Best regards,
> | | >
> | | > Charles Yang (MSFT)
> | | >
> | | > Microsoft CSS Online Newsgroup Support
> | | >
> | | > Get Secure! - www.microsoft.com/security
> | | >
> | | > ======================================================
> | | > This newsgroup only focuses on SBS technical issues. If you have
> issues
> | | > regarding other Microsoft products, you'd better post in the
> | corresponding
> | | > newsgroups so that they can be resolved in an efficient and timely
> | manner.
> | | > You can locate the newsgroup here:
> | | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | | >
> | | > When opening a new thread via the web interface, we recommend you
> check
> | | > the
> | | > "Notify me of replies" box to receive e-mail notifications when
> there
> | are
> | | > any updates in your thread. When responding to posts via your
> | newsreader,
> | | > please "Reply to Group" so that others may learn and benefit from
> your
> | | > issue.
> | | >
> | | > Microsoft engineers can only focus on one issue per thread. Although
> we
> | | > provide other information for your reference, we recommend you post
> | | > different incidents in different threads to keep the thread clean.
> In
> | | > doing
> | | > so, it will ensure your issues are resolved in a timely manner.
> | | >
> | | > For urgent issues, you may want to contact Microsoft CSS directly.
> | Please
> | | > check http://support.microsoft.com for regional support phone
> numbers.
> | | >
> | | > Any input or comments in this thread are highly appreciated.
> | | > ======================================================
> | | > This posting is provided "AS IS" with no warranties, and confers no
> | | > rights.
> | | >
> | | >
> | | > =====================================================
> | | > When responding to posts, please "Reply to Group" via your
> newsreader
> so
> | | > that others may learn and benefit from your issue.
> | | > =====================================================
> | | >
> | | > This posting is provided "AS IS" with no warranties, and confers no
> | | > rights.
> | | >
> | | > --------------------
> | | > | From: "Robert Zahm" <robzahm@xxxxxxxxxxx>
> | | > | Subject: Password Expiration
> | | > | Date: Wed, 26 Oct 2005 11:58:16 -0500
> | | > | Lines: 72
> | | > | X-Priority: 3
> | | > | X-MSMail-Priority: Normal
> | | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | | > | X-RFC2646: Format=Flowed; Original
> | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | | > | Message-ID: <OcG325k2FHA.3420@xxxxxxxxxxxxxxxxxxxx>
> | | > | Newsgroups: microsoft.public.windows.server.sbs
> | | > | NNTP-Posting-Host: 64-45-168-10.client.cypresscom.net 64.45.168.10
> | | > | Path:
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> | | > | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.sbs:164757
> | | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | | > |
> | | > | Some of our users like to remain logged into our SBS domain and
> never
> | | > log
> | | > | out. I understand that this is not a very good security practice,
> but
> | | > the
> | | > | behavior is unlikely to change.
> | | > |
> | | > | I've been seeing a few events logged recently related to applying
> | group
> | | > | policy (events are included at the bottom of this email), and I'm
> | | > wondering
> | | > | if this could be caused by users who are logged in with passwords
> that
> | | > have
> | | > | since expired. If I run "gpupdate" from the command line, I don't
> see
> | | > any
> | | > | error messages appear in the logs, which leads me to believe that
> it
> | is
> | | > not
> | | > | the passwords causing it. Anyone have any ideas for
> troubleshooting
> | | > this
> | | > | error?
> | | > |
> | | > | If this is being caused by expired passwords, is there any way I
> can
> | be
> | | > | notified when a user's password expires so that I can have them
> log
> | out
> | | > and
> | | > | then log back in?
> | | > |
> | | > | Thanks,
> | | > |
> | | > | Rob
> | | > |
> | | > | Event Type: Information
> | | >| Event Source: SceCli
> | | > | Event Category: None
> | | > | Event ID: 1704
> | | > | Date: 10/26/2005
> | | > | Time: 6:05:55 AM
> | | > | User: N/A
> | | > | Computer: BRADFORDDC01
> | | > | Description:
> | | > | Security policy in the Group policy objects has been applied
> | | > successfully.
> | | > |
> | | > | For more information, see Help and Support Center at
> | | > | http://go.microsoft.com/fwlink/events.asp.
> | | > |
> | | > | (the fact that this event is logged, and no errors are logged when
> I
> | | > | manually run gpupdate leads me to believe that I might have a
> problem
> | | > other
> | | > | than the users logged in with expired passwords).
> | | > |
> | | > |
> | | > | Event Type: Error
> | | > | Event Source: Userenv
> | | > | Event Category: None
> | | > | Event ID: 1006
> | | > | Date: 10/26/2005
> | | > | Time: 10:26:08 AM
> | | > | User: NT AUTHORITY\SYSTEM
> | | > | Computer: BRADFORDDC01
> | | > | Description:
> | | > | Windows cannot bind to BradfordRealEstateServicesCorp.local
> domain.
> | | > (Local
> | | > | Error). Group Policy processing aborted.
> | | > |
> | | > | For more information, see Help and Support Center at
> | | > | http://go.microsoft.com/fwlink/events.asp.
> | | > |
> | | > |
> | | > | Event Type: Error
> | | > | Event Source: Userenv
> | | > | Event Category: None
> | | > | Event ID: 1030
> | | > | Date: 10/26/2005
> | | > | Time: 10:26:08 AM
> | | > | User: NT AUTHORITY\SYSTEM
> | | > | Computer: BRADFORDDC01
> | | > | Description:
> | | > | Windows cannot query for the list of Group Policy objects. Check
> the
> | | > event
> | | > | log for possible messages previously logged by the policy engine
> that
> | | > | describes the reason for this.
> | | > |
> | | > | For more information, see Help and Support Center at
> | | > | http://go.microsoft.com/fwlink/events.asp.
> | | > |
> | | > |
> | | > |
> | | >
> | |
> | |
> | |
> |
> |
>
.
- Next by Date: Re: Microsoft - Updates won't in Stall
- Next by thread: Re: Password Expiration
- Index(es):
Relevant Pages
|
Loading
