Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Account lockout

22 views
Skip to first unread message

Deji Akomolafe

unread,
May 11, 2005, 6:25:20 PM5/11/05
to
He has a connection using his old password opened somewhere. He probably
logged into OWA on a computer somewhere and forgot to close it out. He
probably has a printer/share mapped with his old password. SOMETHING is
using his old password. What you do is:

1. Enable netlogon logging (nltest /dbflag:0x2080ffff), restart netlogon
service, wait for the user's account to be locked out agian, then go through
the logfile generated by netlogon (usually %windir%\Netlogon.log). You will
see where his account is being used during the course of the lockout.

OR
2. Get ALTools.exe
(http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en)
AND
3. Read
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
for instructions on using the tools.

--

Sincerely,
Dčjě Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
"Hendrik" <Hen...@discussions.microsoft.com> wrote in message
news:FD46A85E-2439-4E52...@microsoft.com...
> We are using Server 2003 Standard Edition, one of our user's accounts keep
> to
> go to Account Lockout. He is not in the office at the moment and it keeps
> to
> lock his account. I set the Account Lockout Policy to 1 minute but this
> does
> not seem to work on his account. The lockout will continue to happen
> troughout the day or night and he doesn't even have to be in the office
> for
> this to happen.
>
> Any idea on how to resolve this issue?


Todd J Heron

unread,
May 11, 2005, 9:11:18 PM5/11/05
to
I have some good field noted on this topic in addition to Dčjě's answer.

Problem: Locked out, single account in Windows domain is being locked out
over and over again

Known causes:
1) Logged on somewhere else in the network. The user is already persistently
logged into another computer somewhere else in the domain (such as in a
conference room, classroom or computer lab) after changing the password on
their regular machine.
2) Microsoft Outlook. An open application such as Microsoft Outlook on
another machine will periodically validate to the domain and if it uses an
invalid username/password combination this will lock the account out after
the specified number of retries.
3) Terminal Server session. A Terminal Server session could be open which is
attempting to authenticate using the old password.
Note: This machine could be outside of the network (open OWA session) or be
a laptop connected in over VPN.
4) Service Account. The user's account is running as a service on a computer
somewhere else in the network with old credentials.
5) Scheduled Task. A scheduled task on their computer is using old
credentials.
6) Drive mapping. A Drive mapping on machine is using old credentials.
7) A virus (such as a worm) has determined the user account is using a weak
password (such as blank or same as username) and is attempting to access
other resources on the network.

How to determine which machine(s) a user's account is logged into on the
domain:
1) Use the Symantec System Center (if available)
2) Use "psloggedon" from http://www.sysinternals.com to determine if the
user account is logged into the domain anywhere else on the network. There
may be a service account somewhere using the account's old credentials.
3) Enable Account Auditing on the Domain Controllers GPO, to see who and
when is causing the lockouts. Enable auditing for following events:
Account Logon Events - Failure
Account Management - Success
Logon Events - Failure
4) In Windows 2000 (SP4) and Windows Server 2003 there is a tool called
lockoutstatus.exe which shows detailed info on which DC has locked-out the
account, as well as showing badPwsCount, and other useful information. If
you have Windows Server 2003 CD, then you will find this utility there. In
Windows NT 4.0 domains, lockouts were common when there were replication
problems between domain controllers. In an NT 4.0 domain, look at errors in
the Event Logs of the PDC and BDCs. Open Server Manager > highlight the PDC
> click on Computer > Synchronize the entire domain > check the system log
of the Event Viewer on all DCs to determine whether synchronization was
successful.

5) Look for Event ID 644 in the domain controller Security event log. That
should tell what machine requested the lockout.
http://mcpmag.com/forums/forum_posts.asp?tid=1504

See the link below for tips on account lockouts which includes how to use
netlogon logging to trace back the failed logon to the computer that
initiated the bad logon. Service accounts on domain computers that use a
domain admin credential is a dangerous security practice as the password for
those accounts can be easily recovered from a domain computer.
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

See also:
Using the Checked Netlogon.dll to Track Account Lockouts
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q189541

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

0 new messages