Re: Account lockouts
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 04/29/03
- Next message: Steven L Umbach: "Re: Local Policies and Roaming Profiles Prob"
- Previous message: Steven L Umbach: "Re: certs."
- In reply to: Mark Palmer: "Account lockouts"
- Next in thread: sunil gottumukkala [MSFT]: "Re: Account lockouts"
- Reply: sunil gottumukkala [MSFT]: "Re: Account lockouts"
- Reply: Mark Palmer: "Re: Account lockouts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Apr 2003 21:06:26 -0400
First off you can't disable lockout policy for specific accounts, it is a domain wide setting.
Second, enable auditing on your domain controllers and member servers, specifically the logon failures auditing
categories and then look in your security logs. In the several years I have been managing the 250k+ userids in my
domains, I was aways able to track the bad passwords events to specific machines. It could be applications running in
the background with cached credentials or it could be the people are logged on in places they didn't think they were. In
fact just today I processed a trouble ticket for a person who would have sworn on their parents lives they were logged
on in multiple locations so I dumped the event logs and found out they had a terminal service session open to a machine
they hadn't touched in months.
Note that Win9x machines do have bugs that cause them to cause multiple bad attempts for every one real attempt.
Depending on hotfixes installed on the machines you could get 2 or 3 bad attempts. This means if you have the concept of
a 5 bad password lockout policy and you have Win9x machines, you should probably actually set your policy to 15 bad
password hits.
Finally, apply every single hot fix available for your domain controllers that have anything to do with the
authentication bins such as LSASS, kerberos, etc and also consider increasing the timeout value for connections on any
file/print servers that the Win9x clients have to hit because there is a known issue with Win9x machines sending bad
credentials to servers when RE-Establishing connections that have timed out due to inactivity.
-- Joe Richards www.joeware.net -- "Mark Palmer" <mp@no.spam.com> wrote in message news:008901c30dda$d9b78320$a601280a@phx.gbl... > I have been trying to find the solution to this problem > for so long, I am going crazy. I have a few user > accounts that are continously being locked out even > though correct passwords are supplied. I have disabled > the account lockout policy on these accounts but it is > still happening. The clients are using Windows 98 to log > on to a single server. Can someone please throw me a > line whilst I still have some hair left.
- Next message: Steven L Umbach: "Re: Local Policies and Roaming Profiles Prob"
- Previous message: Steven L Umbach: "Re: certs."
- In reply to: Mark Palmer: "Account lockouts"
- Next in thread: sunil gottumukkala [MSFT]: "Re: Account lockouts"
- Reply: sunil gottumukkala [MSFT]: "Re: Account lockouts"
- Reply: Mark Palmer: "Re: Account lockouts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
