Re: Account lockouts
From: sunil gottumukkala [MSFT] (sunilgot_at_online.microsoft.com)
Date: 04/29/03
- Next message: Mike: "User Rights with Everyone"
- Previous message: Mike: "Re: 2003/XP Local Policies-Power Users"
- In reply to: Joe Richards [MVP]: "Re: Account lockouts"
- Next in thread: Mark Palmer: "Re: Account lockouts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Apr 2003 10:09:56 -0700
I second that, you can not set per user policy or exclude some users from
domain account policy.
Couple of things to look for stale net use connections. If you logoff and
login back and you had 'net use' connections in the last session, windows
will automatically try to connect to those net use connections again with a
the password that you just logged on with (even if you net used with a
different user altogether earlier). And the worse part is it might try it
more than once depending on if there are terminal service sessions that are
open at that time.
Note that all the above can happen even if the password hasn't been changed
recently.
A good practice would be to set a decent "max password age" and set a
reasonably high "Bad password count" and also reasonably low "lockout
observation window".
Hope this helps.
thanks,
-Sunil.
-- This posting is provided "AS IS" with no warranties, and confers no rights. "Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm" "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message news:#nGjSueDDHA.1888@TK2MSFTNGP12.phx.gbl... > First off you can't disable lockout policy for specific accounts, it is a domain wide setting. > > Second, enable auditing on your domain controllers and member servers, specifically the logon failures auditing > categories and then look in your security logs. In the several years I have been managing the 250k+ userids in my > domains, I was aways able to track the bad passwords events to specific machines. It could be applications running in > the background with cached credentials or it could be the people are logged on in places they didn't think they were. In > fact just today I processed a trouble ticket for a person who would have sworn on their parents lives they were logged > on in multiple locations so I dumped the event logs and found out they had a terminal service session open to a machine > they hadn't touched in months. > > Note that Win9x machines do have bugs that cause them to cause multiple bad attempts for every one real attempt. > Depending on hotfixes installed on the machines you could get 2 or 3 bad attempts. This means if you have the concept of > a 5 bad password lockout policy and you have Win9x machines, you should probably actually set your policy to 15 bad > password hits. > > Finally, apply every single hot fix available for your domain controllers that have anything to do with the > authentication bins such as LSASS, kerberos, etc and also consider increasing the timeout value for connections on any > file/print servers that the Win9x clients have to hit because there is a known issue with Win9x machines sending bad > credentials to servers when RE-Establishing connections that have timed out due to inactivity. > > -- > Joe Richards > www.joeware.net > > -- > > "Mark Palmer" <mp@no.spam.com> wrote in message news:008901c30dda$d9b78320$a601280a@phx.gbl... > > I have been trying to find the solution to this problem > > for so long, I am going crazy. I have a few user > > accounts that are continously being locked out even > > though correct passwords are supplied. I have disabled > > the account lockout policy on these accounts but it is > > still happening. The clients are using Windows 98 to log > > on to a single server. Can someone please throw me a > > line whilst I still have some hair left. > >
- Next message: Mike: "User Rights with Everyone"
- Previous message: Mike: "Re: 2003/XP Local Policies-Power Users"
- In reply to: Joe Richards [MVP]: "Re: Account lockouts"
- Next in thread: Mark Palmer: "Re: Account lockouts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
