RE: 2K Server locking 98 users out

From: Colin Owens (COwens@uvcs.uvic.ca)
Date: 05/09/02 

Date: Thu, 9 May 2002 11:49:22 -0700
From: "Colin Owens" <COwens@uvcs.uvic.ca>
To: "Moorhouse, Walt P" <WaltPMoorhouse@eaton.com>, <focus-ms@securityfocus.com>

We've noticed similar situations on our network and in addition to the
situations already outlined one other scenario was when users had mapped
network drives to "reconnect at next logon" and had then either hit the
Cancel button at the netlogon dialog box or had changed their Windows
password to something different from their network password. In either
case their box repeatedly tries to establish a session to a share with
incorrect credentials and eventually locks out their account.
HTH

-----Original Message-----
From: Moorhouse, Walt P [mailto:WaltPMoorhouse@eaton.com]
Sent: Thursday, May 09, 2002 9:04 AM
To: 'Dave'; focus-ms@securityfocus.com
Subject: RE: 2K Server locking 98 users out

A couple of things that I have seen here that could relate to your
problem:
1) If your users have signed on and ignored the "You password is about
to expire, Do you want to change it now?" dialog and said no, then left
their machines on, it will keep trying to use the password they gave it
at the beginning of the session.
2) Since it is happening only on 98 machines, that makes me think of the
Windows Password. Some of my people changed their password while
offline or at home, and subsequently, the domain password didn't change,
just the Windows Password. This got them out of sync, and they had to
type in two passwords to get in when they reconnected to the net. (The
"old" domain password, and the "new" Windows password.) I doubt you
would have done this, but it may somehow be related.

Also, this could be the result of an attack. If someone gained access
to a list of login names (perhaps a former employee) and is going
through the list trying to guess or brute force a password, this could
lead to account lockout. Do you have security auditing enabled and are
you logging successful and failed login attempts?

I hope this helps.
WPM

-----Original Message-----
From: Dave [mailto:"dauern@cox.net"@cox.net]
Sent: Wednesday, May 08, 2002 1:57 PM
To: focus-ms@securityfocus.com
Subject: 2K Server locking 98 users out

Hello all,

First of all, let me say that this/these list(s) are an incredible tool,
both for beginner admins and security freaks (and much more). OK,
enough mush. :)

I am domain admin on a 2K server serving about 60 users. Occasionally a
user's account will be locked, for absolutely no apparent reason that I
can tell. It's happened to my account quite a few times, in fact (not
my admin account). This seems to happen only to 98 machines... every
instance I can recall was on a 98 machine. While I can't speak for
anyone else's problems necessarily, the only odd thing I noticed about
about the instances where my account was locked is that my computer was
usually idle for an hour or more (long lunches). Does anyone have any
recommendations to perhaps point me in the right direction in resolving
this? Thanks for your help.

Dave