Re: Account Lockout
From: Alaa Abdelhalim [MSFT] (alaa_at_online.microsoft.com)
Date: 06/11/03
- Next message: krish shenoy[MS]: "Re: Offline Root CA"
- Previous message: GIE: "Terminal Server issue"
- In reply to: Craig Richardson: "Re: Account Lockout"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 11 Jun 2003 13:15:05 -0700
Hello Vincent,
Hello Craig,
Thank you for the machine configuration information. Can you also include
what account lockout settings you're using on your domains? (Account lockout
threshold, duration, and observation window)
You don't need to worry about the cached credentials I mentioned earlier
because I was referring to credentials explicitly stored by users in a
"credential store", which is a feature of Windows XP and Windows Server
2003.
However, I have one more question for you: Do any of the users who get
locked out happen to be logged on to other machines that were locked with
their old password?
For example, if User1 logs onto 2 workstations and then changes their
password on one of them, the other workstation would still be using the old
password. And if it happens to have open connections to network resources,
it could, depending on your patch level, cause accounts to be locked out.
Two other tools that would be useful for this inquiry are:
1. Enable account management and account logon on your domain if not already
enabled. Check the event viewer for failed logon attempts and account
lockouts. These could give you a clue as to where the invalid logon attempts
are coming from.
2. If you have access to the resource kit, install it and see if you can
locate a tool called ldp.exe This could enable us to look at a user
attribute that isn't part of the normal UI called badPwdCount. This would
let us know how many invalid logon attempts were made on a locked account
(just to verify things are working as expected since one of you mentioned
that users get locked out after one attempt)
-- Alaa Abdelhalim [MSFT] ----- This posting is provided "AS IS" with no warranties, and confers no rights. Please do not send e-mail directly to this alias. This alias is for newsgroup purposes only. "Craig Richardson" <crichsys@ix.netcom.com> wrote in message news:O6cegB2LDHA.2256@TK2MSFTNGP11.phx.gbl... > Hey all, > > I'm having similar issues. My DCs are W2K, SP3, my cluster is W2K SP2, an d > my clients are W2K Prof and the service packs vary from SP2 and SP3. Many > users get locked out after their password expires and they change it. Some > users get locked out while they're logged on. All of a sudden, their access > to a particular resource gets blocked. When I check their account, it's > locked. This is a daily problem. Sorry for interrupting! > > Craig. > > "Vincent Brown" <vincent.brown@equityone.com> wrote in message > news:0c4501c32f50$7d95bc00$a401280a@phx.gbl... > > The clients are running on Windows 2000 Professional and > > the domain controllers are all running Windows 2000 Server > > with SP3. The weird thing is that a handful of clients > > get locked out in two instances: > > > > 1. When they log in first thing in the morning. > > 2. While they are logged in (after I have unlocked their > > accounts). > > > > The clients are runnings on desktop PCs. I would think > > that the cached credentials issue would come more into > > play with our users with docking station laptops that are > > taken home. > > > > Any insights you could provide would be helpful. > > > > >-----Original Message----- > > >Hello Vicent, > > >First, I would like to recommend that your provide more > > info on the > > >operating systems run on your clients and domain > > controllers so that we know > > >what versions we're talking about. > > >From your description below, the issue could be caused by > > various > > >circumstances. One of the most common ones is if these > > users happen to be > > >using WindowsXP or Windows Server 2003 to store cached > > credentials to other > > >remote servers. If the cached credentials go out of date > > (or if they have > > >open "net uses" to other servers with old creds), then > > accounts could get > > >locked out due to autmoatic logon retries with bad > > passwords. > > > > > > > > > > > >-- > > >Alaa Abdelhalim [MSFT] > > >----- > > >This posting is provided "AS IS" with no warranties, and > > confers no rights. > > >Please do not send e-mail directly to this alias. This > > alias is for > > >newsgroup purposes only. > > > > > > > > > > > >"Vincent Brown" <vincent.brown@equityone.com> wrote in > > message > > >news:024c01c32ec6$0b108460$a601280a@phx.gbl... > > >> This issue sort of has a twist to it. The account > > lockout > > >> seems to occur while the user is still logged in. As > > long > > >> as they don't deliberately log out or the PC doesn't > > >> timeout and lock itself, the user is OK. > > >> > > >> Any ideas? > > >> > > >> > > >> >-----Original Message----- > > >> >On 6/6/03 10:36 PM, in article 064601c32c9d$aba327f0 > > >> $a301280a@phx.gbl, > > >> >"Craig" <cmanske@houston.rr.com> wrote: > > >> > > > >> >> Vincent, > > >> >> > > >> >> If these are XP clients there is a new feature in XP > > >> that > > >> >> will cache passwords for network resources on the > > local > > >> >> desktop. When the users logs in...it tries to use > > those > > >> >> credentials several times before the user ever gets > > to > > >> >> see the desktop come up. My guess would be that all > > of > > >> >> the users that are having this problem have recently > > >> >> changed their passwords and the cached password is > > >> >> locking them out. > > >> >> > > >> >> Go to control panel \ Users \ Advanced I believe.... > > >> >> > > >> >> If thats not it look for any drives that are mapped > > >> using > > >> >> old credentials....or Terminal Server connections > > that > > >> >> may be have an idle session using the old password. > > >> >> > > >> >> The event logs on your PDC should give you a clue as > > to > > >> >> where the lockouts are coming from. > > >> >> > > >> >> Good luck, > > >> >> > > >> >> Craig > > >> >>> -----Original Message----- > > >> >>> I have a handful of users that experience account > > >> >> lockouts > > >> >>> every time they try to log in. Even though our > > default > > >> >>> domain policy says they have 5 retries before > > account > > >> >>> lockout, the account locks. Also notice that > > everytime > > >> >>> they log in, the account always says that it has > > >> expired > > >> >>> even though it is set to never expire. > > >> >>> > > >> >>> Anyone have any clue about what this is and more > > >> >>> importantly, how to fix it? > > >> >>> > > >> >>> Please advise ASAP. > > >> >>> > > >> >>> Thanks, > > >> >>> > > >> >>> Vincent. > > >> >>> . > > >> >>> > > >> >This is not a new feature in Windows XP, but has been > > >> part of the Windows NT > > >> >technology group since 3.5, its called Cached Account > > >> Credentials, and will > > >> >only be checked if there is no DC to verify > > >> Username/Password. > > >> > > > >> >. > > >> > > > > > > > > > >. > > > > >
- Next message: krish shenoy[MS]: "Re: Offline Root CA"
- Previous message: GIE: "Terminal Server issue"
- In reply to: Craig Richardson: "Re: Account Lockout"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
