Re: Account lockout

From: Alex Zhang (v-qiz_at_online.microsoft.com)
Date: 04/23/04

• Next message: Robert: "Backingup causes regedit to fail"
• Previous message: Solution Statement from SHPainter3: "Cannot access Default Domain Conrollers Policy -- DCPROMO error"
• In reply to: Steven L Umbach: "Re: Account lockout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 23 Apr 2004 03:32:37 GMT

Hello Michal,

Thank you for posting here.

I'd like provide some information to you as a supplement.

You could use the following tool to troubleshoot account lockouts, as well
as add functionality to Active Directory.

Account Lockout and Management Tools
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-
8629-B999ADDE0B9E&displaylang=en

In addition, you may browse the following web site for more inforamtion:

Enabling Debug Logging for the Net Logon Service
http://support.microsoft.com/default.aspx?scid=kb;EN-US;109626

If you have any questions or concerns, please do not hesitate to let me
know. I am happy to be of assistance.
Thanks and regards,
Alex Zhang
Microsoft Partner Online Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Steven L Umbach" <sumbach@N0spam.ameritech.net>
| References: <2bc201c42864$de93df10$a301280a@phx.gbl>
| Subject: Re: Account lockout
| Date: Thu, 22 Apr 2004 10:02:54 -0500
| Lines: 36
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <u0UnlqHKEHA.1348@TK2MSFTNGP12.phx.gbl>
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: adsl-68-78-64-90.dsl.emhril.ameritech.net 68.78.64.90
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.security:25704
| X-Tomcat-NG: microsoft.public.win2000.security
|
| You would also want to enable auditing of logon events on his workstation
| and any other computers/servers that the user may usually use looking for
| failed logon attempts with that account name on those computers. It could
| possibly be that the user is still logged onto another computer [Terminal
| Services or such] with an old password, that a mapped share with
persistent
| credentials is used with old/bad password, or a Scheduled Task is using
the
| users wrong password. Hopefully it is not a jokester on the network
because
| the lockout could be ocurring on any computer that has file and print
| sharing enabled and that would not show up in the domain controller logs
| like a bad attempt to logon the the domain interactivley would. The link
| below is excellent at tips on how to track such issues down about two
thirds
| the way down under heading of "Troubleshooting Account Lockout. --- Steve
|
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
|
| "Sloup Michal" <michal.sloup@cz.glaverbel.com> wrote in message
| news:2bc201c42864$de93df10$a301280a@phx.gbl...
| > We are runnig W2K Domain. One of our users suddenly gets
| > locked out (regularly). I used EventComb to search all our
| > DC (we have almost 60) for some events.
| >
| > I'm able to find events 642 and 644. Also I can see events
| > 675 (failure code 18) and 681 (error code 3221226036).
| >
| > It means that I can find the moment when the account is
| > locked, but I need also to know why! So I need to find
| > some events 675 or 681 with code 24 or 3221225578.
| >
| > Can anyone advice where to look or what to switch on,
| > etc...
| >
| > Any hint is appreciated.
| >
| > Michal
|
|
|

• Next message: Robert: "Backingup causes regedit to fail"
• Previous message: Solution Statement from SHPainter3: "Cannot access Default Domain Conrollers Policy -- DCPROMO error"
• In reply to: Steven L Umbach: "Re: Account lockout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Event ID 537 and Kerberos ... a logon type of 3 translates to Network. ... Click Services tab and select Hide All Microsoft Services and Disable ... Step 4: Configure account lockout policy. ... and then click Account Lockout Policy. ... (microsoft.public.windows.server.sbs) Re: Last logon time in Active Directory - solution ... Good documentation around this toolkit and account lockout in general is ... > Recently we were trying to find a way to obtain the last logon ... > functionality in the Active Directory Users & Computers MMC to do ... (microsoft.public.windows.server.active_directory) RE: Logon Failures ... logon failures from a external address. ... First, please look at the SBS security event log, and let me know the event ... Configure account lockout policy. ... (microsoft.public.windows.server.sbs) Re: EVent ID 529- Need some interpretation ... password policy including password changes occur frequently. ... Account Lockout Threshhold ... login failures from other child domain. ... Logon Failure: ... (microsoft.public.windows.server.active_directory) Re: Authentication issue ... troubleshooting account lockout issue is complicated. ... Please enable the user logon audit in your domain. ... If the client computer of that user is running Windows XP. ... (microsoft.public.win2000.networking)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint