Re: Account lockouts help
From: Jon LaBarge (jonlabarge_at_comcast.net)
Date: 09/14/05
- Next message: Steven L Umbach: "Re: Microsoft windows update"
- Previous message: Steven L Umbach: "Re: Active X files blocked"
- In reply to: Steven L Umbach: "Re: Account lockouts help"
- Next in thread: Steven L Umbach: "Re: Account lockouts help"
- Reply: Steven L Umbach: "Re: Account lockouts help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 14 Sep 2005 11:22:01 -0700
Ok I will try this. Also, does it make any sense to you that it is only two
users that are being effected by this? The rest of our users are fine.
Jon
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OamZZUVuFHA.3660@tk2msftngp13.phx.gbl...
> There should not be a problem with kerberos between a Windows 2000 domain
> computer and a Windows 2003 domain controller in a normal configuration
> with time and dns configured correctly. If the Windows firewall is enabled
> on the Windows 2003 domain controller or ipsec policies are implemented
> that involve communications between domain computers and domain
> controllers authentication problems can occur. Since you are having
> problems I would suggest that you run the support tool netdiag on domain
> computers where users are logging on from that are having problems and run
> the support tools netdiag, dcdiag, and gpotool on your domain controllers
> or at least the pdc fsmo and your domain controller where you are seeing
> all these events recorded. These tools check a lot of things including
> the all important dns, communications between domain controllers,
> integrity of computer account/secure channel, and replication of Group
> Policy objects. Support tools are on the operating system install disk in
> the support/tools folder. Also check the link below to make sure your dns
> is configured correctly for the domain. -- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
>
> "Jon LaBarge" <jonlabarge@comcast.net> wrote in message
> news:O8KBCJVuFHA.3756@tk2msftngp13.phx.gbl...
>> Steven,
>> Also, I just noticed that the lockout is also causing a Event ID 677
>> (kerberos authentication) audit failure in the DC E/V (about 5 events per
>> second). Is there a problem with kerberos communicating from a 2003
>> server to a 2000 server like there was with NT?
>>
>> Jon
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:%23aBsreLuFHA.3424@tk2msftngp13.phx.gbl...
>>> Generally that means that they may still be logged onto another computer
>>> with old credentials [ possibly via Terminal Server?] or that they are
>>> using old credentials for a Scheduled Task, persistent mapped drive, or
>>> have old "stored credentials" on a Windows XP Pro computer. If you have
>>> enabled auditing of "account logon" events and account management in
>>> Domain Controller Security Policy and have auditing of "logon events"
>>> enabled for domain computers you can usually track down what computer is
>>> causing the lockout and proceed from there. The free Event Comb utility
>>> from MS makes it easy to search domain controllers and domain computers
>>> for specific events and text strings such as user names. The link below
>>> may help and the excellent white paper on account passwords and policies
>>> has a lot of good info. FYI Microsoft recommends no less then ten bad
>>> attempts as a lockout threshold if you use account lockout as a single
>>> bad logon event can trigger multiple bad logon attempts on the domain
>>> controllers. --- Steve
>>>
>>> http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
>>>
>>>
>>> "Jon LaBarge" <jonlabarge@comcast.net> wrote in message
>>> news:%23wLQ%23iKuFHA.600@TK2MSFTNGP10.phx.gbl...
>>>> We have a few users in our org that continually get locked out. Every 5
>>>> minutes, their accounts go into the lockout state. They are locked down
>>>> by a GPO but only for folder redirection. Any ideas???
>>>>
>>>> Thx.
>>>>
>>>> Jon
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Steven L Umbach: "Re: Microsoft windows update"
- Previous message: Steven L Umbach: "Re: Active X files blocked"
- In reply to: Steven L Umbach: "Re: Account lockouts help"
- Next in thread: Steven L Umbach: "Re: Account lockouts help"
- Reply: Steven L Umbach: "Re: Account lockouts help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
