Re: Weird account lockout

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi Robert,

I will hopefully gather this data for you.

Oddly, the reports had dissapeared after the user changed his password, but resumed again this afternoon.

The other odd thing, is that the message indicates a failure on LOCALHOST (I'm assuming the Server itself, UBIQ-SERV1), yet the user has no direct logon to that server.


MSWinEventLog 1 Security 232788 Thu May 17 18:38:46 2007 529 Security SYSTEM User Failure Audit UBIQ-SERV1 Logon/Logoff Logon Failure: Reason: Unknown user name or bad password User Name: msmith Domain: UBIQUISYS Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: LOCALHOST Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.50.143 Source Port: 0 232710

Robert Li [MSFT] wrote:
Hi Adrian,

Thanks for updating.

Based on my research, the account is locked out when:

1. The user typed many times of wrong credential.
2. The client workstation is affected by virus or the hack is attacking.
3. Some services are attempt to logon with older or wrong password.

Although account seems not to be really locked, please check the following:

Please I. We need to remove the previous password cache, which may be used by some applications and therefore cause the account lockout problem.

To do so:

1) Click Start, click Run, type "control userpasswords2" (without the quotation marks), and then click OK.
2) Click the Advanced tab.
3) Click the "Manage Password" button.
4) Check to see if these domain account's passwords are cached. If so, remove them.
5) Check if the problem has been resolved now.

For more information, you may refer to the following article:

Q281660:Behavior of Stored User Names and Passwords http://support.microsoft.com/?id=281660take the following steps:

Step 2: Scan your client workstation with Anti Virus.

Step 3: Please make a clean boot on the client to make sure the problem is not caused by some third party software.

1. Click Start->Run...->type msconfig and press Enter.
2. Click Services tab and select Hide All Microsoft Services and Disable All third party Services.
3. Click Startup tab and Disable All startup items.
4. Click OK and choose Restart.
5. After reboot, check whether the problem still occurs.
6. If there are no more problems, please use the above steps to enable services and startup items one by one in order to figure out the root cause of this issue

I noticed that the Event System log hadn't logged anything since 2 Feb 07, please check to set the event retention method to Overwrite events.

To do this:

1. Open Event Viewer.
2. Right click System and select Properties.
3. Overwrite event as needed.

For more information, please refer to:

315585 Troubleshooting account lockout problems in Windows Server 2003
http://support.microsoft.com/?id=315585

Please also help me connect the Network MPS Report on SBS server and problematic client for further research:

MPS report

a. Visit http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_NETWORK.EXE to download the file.
b. Run the MPSRPT_NETWORK.EXE on the server box.
c. Wait for 10~15 minutes.
d. Open Windows explorer, navigate to %SYSTEMROOT%\MPSReports\Network\Reports\cab\
e. Send the .cab file directly to me at v-robeli@xxxxxxxxxxxxx with subject: Weird account lockout.

I appreciate your time and cooperation. If anything is unclear, please feel free to let me know. I am looking forward to hearing from you.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues regarding other Microsoft products, you'd better post in the corresponding newsgroups so that they can be resolved in an efficient and timely manner. You can locate the newsgroup here: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the "Notify me of replies" box to receive e-mail notifications when there are any updates in your thread. When responding to posts via your newsreader, please "Reply to Group" so that others may learn and benefit from your issue.

Microsoft engineers can only focus on one issue per thread. Although we provide other information for your reference, we recommend you post different incidents in different threads to keep the thread clean. In doing so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<Message-ID: <464A24C5.8060906@xxxxxxxxxxxxxxxxxxxxxxx>
<Date: Tue, 15 May 2007 22:23:17 +0100
<From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
<User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
<MIME-Version: 1.0
<Subject: Re: Weird account lockout
<References: <uJMitqIlHHA.4628@xxxxxxxxxxxxxxxxxxxx> <LlWBJbelHHA.3352@xxxxxxxxxxxxxxxxxxxxxx>
<In-Reply-To: <LlWBJbelHHA.3352@xxxxxxxxxxxxxxxxxxxxxx>
<Content-Type: text/plain; charset=ISO-8859-1
<Content-Transfer-Encoding: 7bit
<X-Antivirus: avast! (VPS 000740-1, 15/05/2007), Outbound message
<X-Antivirus-Status: Clean
<Newsgroups: microsoft.public.windows.server.sbs
<NNTP-Posting-Host: 213-162-121-253.adrian080.adsl.metronet.co.uk 213.162.121.253
<Lines: 1 <Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:36968
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<Hi Robert,
<
<I took a look at the users PC and account, and found several things:
<
<1) The Event System log hadn't logged anything since 2 Feb 07. which was
<weird.
<2) The application log showed many Userenv faults
<3) rsop showed that theres was a password mis-sync between the laptop
<and the server.
<4) User was still able to access Exchange (which concerned me a little),
<and complained that he had sparadic access to printers and network
<shares (but he DID have them) - again another concern - why wasn't he
<locked out?
<
<So I executed a gpupdate /force, and had the user change their password.
<The client PC now looks ok, but I continue to get these emails.
<
<I now have the windows logs exported to a syslog server so I can search
<easier, and I can see that the last account. Using this I'm able to see
<a second user also eing locked out.
<
<Is there any way to have the SBS email actually indicate *who* has been
<locked out?
<
<What sort of things can cause a lock out? I've the standard SBS account
<policy configs for this, but I'd like to know more about what can cause it.
<
<In my environment, users can logon/off to multiple PCs at any time.
<Linux SAMBA share mounts are common. If these cache passwords, then can
<these re-authentication requests trigger a lockout?
<
<Thanks
<
<Adrian
<
<Robert Li [MSFT] wrote:
<> Hi Adrian,
<> <> Thanks for posting in our newsgroup.
<> <> I am sorry for the delay due to the weekend.
<> <> From you description, I know that the SBS report shows a user account is <> locked out. Using saved queries, you can see the user is locked out, but <> when you checked the user's properties, the account is not locked out. If I <> am off-base, please don't hesitate to let me know.
<> <> Please let me know the following information to make the situation more <> clearly:
<> <> Can this user logon the domain successfully? If yes, this means the account <> is not really locked out.
<> <> As you know, account lockout policy is a Microsoft Windows security feature <> that locks a user account if a designated number (Account lockout <> threshold) of failed logon attempts occur within a specified time frame. <> These variables are based on security policy lockout settings. You cannot <> log on to the network through a locked account until the lockout period <> (Account lockout duration) has expired.
<> <> Please right click the user properties, on the Account tab, what the status <> of "Account is locked out" option. By default, the "Account is locked out" <> option is grayed out. You cannot check it to lock a user. If you need to <> lock a user, you can check the Account is disabled option. However, when an <> account is locked out by the system, the "Account is locked out" option <> will become available and you can uncheck it to unlock the user.
<> <> Hope the information helps.
<> <> If you need further assistance, please don't hesitate to let me know.
<> <> Best regards,
<> <> Robert Li(MSFT)
<> <> Microsoft CSS Online Newsgroup Support
<> <> Get Secure! - www.microsoft.com/security
<> <> =====================================================
<> <> This newsgroup only focuses on SBS technical issues. If you have issues <> regarding other Microsoft products, you'd better post in the corresponding <> newsgroups so that they can be resolved in an efficient and timely manner. <> You can locate the newsgroup here: <> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
<> <> When opening a new thread via the web interface, we recommend you check the <> "Notify me of replies" box to receive e-mail notifications when there are <> any updates in your thread. When responding to posts via your newsreader, <> please "Reply to Group" so that others may learn and benefit from your <> issue.
<> <> Microsoft engineers can only focus on one issue per thread. Although we <> provide other information for your reference, we recommend you post <> different incidents in different threads to keep the thread clean. In doing <> so, it will ensure your issues are resolved in a timely manner. <> <> For urgent issues, you may want to contact Microsoft CSS directly. Please <> check http://support.microsoft.com for regional support phone numbers.
<> <> Any input or comments in this thread are highly appreciated.
<> <> =====================================================
<> <> This posting is provided "AS IS" with no warranties, and confers no rights.
<> <> --------------------
<> <Date: Sat, 12 May 2007 12:42:51 +0100
<> <From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
<> <User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
<> <MIME-Version: 1.0
<> <Subject: Weird account lockout
<> <Content-Type: text/plain; charset=ISO-8859-1; format=flowed
<> <Content-Transfer-Encoding: 7bit
<> <Message-ID: <uJMitqIlHHA.4628@xxxxxxxxxxxxxxxxxxxx>
<> <Newsgroups: microsoft.public.windows.server.sbs
<> <NNTP-Posting-Host: office.ubiquisys.com 88.96.204.222
<> <Lines: 1 <> <Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
<> <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:36257
<> <X-Tomcat-NG: microsoft.public.windows.server.sbs
<> <
<> <Hi,
<> <
<> <I've a user account that I'm recieving emails from my SBS R1 server <> <telling me that the account is locked out.
<> <
<> <Using saved queries, I can see the user listed as "locked out", but when <> <I go to that users properties in Act Dir Users & Computers, the account <> <isn't locked out at all.
<> <
<> <???
<> <
<> <Saved query taken from:
<> <
<> <http://www.windowsdevcenter.com/pub/a/windows/2004/06/22/locked_accounts.ht
<> ml
<> <
<> <
<> <Cheers,
<> <
<> <adrian
<> <
<> <

.

Quantcast