Re: Account lockouts

From: Mark Palmer (mp_at_no.spam.com)
Date: 04/30/03 

Date: Tue, 29 Apr 2003 23:34:09 -0700

Yes you are most indeed correct in saying that to disable
lockout policy is in fact a domain wide setting, I had
worded my explaination incorrectly. However what I do
not understand is that if it is disabled (which it is) I
should not be having this problem ... or am I still
missing something. I do have every hotfix/update
installed on both the server and clients but I will try
increasing the timeout value for the file server. Thanks
very much for your recent reply.

Joe Richards wrote:

>First off you can't disable lockout policy for specific
accounts, it is a domain wide setting.
>
>Second, enable auditing on your domain controllers and
member servers, specifically the logon failures auditing
>categories and then look in your security logs. In the
several years I have been managing the 250k+ userids in my
>domains, I was aways able to track the bad passwords
events to specific machines. It could be applications
running in
>the background with cached credentials or it could be
the people are logged on in places they didn't think they
were. In
>fact just today I processed a trouble ticket for a
person who would have sworn on their parents lives they
were logged
>on in multiple locations so I dumped the event logs and
found out they had a terminal service session open to a
machine
>they hadn't touched in months.
>
>Note that Win9x machines do have bugs that cause them to
cause multiple bad attempts for every one real attempt.
>Depending on hotfixes installed on the machines you
could get 2 or 3 bad attempts. This means if you have the
concept of
>a 5 bad password lockout policy and you have Win9x
machines, you should probably actually set your policy to
15 bad
>password hits.
>
>Finally, apply every single hot fix available for your
domain controllers that have anything to do with the
>authentication bins such as LSASS, kerberos, etc and
also consider increasing the timeout value for
connections on any
>file/print servers that the Win9x clients have to hit
because there is a known issue with Win9x machines
sending bad
>credentials to servers when RE-Establishing connections
that have timed out due to inactivity.
>
>--
>Joe Richards
>www.joeware.net

Relevant Pages

  • Re: Account lockouts
    ... Joe Richards ... > member servers, ... > events to specific machines. ... >>Note that Win9x machines do have bugs that cause them to ...
    (microsoft.public.win2000.security)
  • Re: [help] 1 cpu to rule them all
    ... >> configuration and maintenance in one place is a lot more economical than ... it isn't the price of the hardware that makes it ... > You can make things easier by having lots of machines that are virtually ... > directories) on servers. ...
    (comp.os.linux.hardware)
  • Re: Creating and AD domain
    ... > None of these machines are reachable from the internet, ... > access the internet, using existing DHCP and DNS servers. ... > As of now, I've got a domain created, the domain controller is up and has ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to access I/O port directly in VC6.0?
    ... As soon as you have standalone machines, ... Their "security" as far as servers was a joke; ... discovered the internal wireless network was completely unencrypted. ...
    (microsoft.public.vc.mfc)
  • Re: Web Services DNS Round Robin
    ... w/ a LB machine inbetwen holding the single IP w/ several machines behind ... or later, as a DNS server. ... Suppose you have 50 identical www.heaven.af.mil web servers running on IP ...
    (microsoft.public.dotnet.languages.csharp)