Re: Windows 2003 Password Expiration

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/25/04

  • Next message: CanNear: "MS DSS & DH CSP and certificate request" 
    Date: Sun, 25 Apr 2004 03:48:59 GMT

    On the domain controller, try using the command "net user username" [substituting
    actual username] to see what it reports for a user account as far as expiring when
    you have it set to never in the user account properties. Are the accounts themselves
    expiring or the passwords or both?? You may also want to check the maximum password
    age reported with "net accounts" on the domain controller. Also check that your
    account lockout threshold in Domain Security Policy is not too low and keep in mind
    that account/password policy can only be set at the domain level for domain users.
    Microsoft recommends no less than ten. Old passwords used in Scheduled Tasks and
    mapped drives are a common cause of account lockouts. Enabling auditing of logon
    events on the users workstations and any servers that they may use may prove helpful
    in tracking down lockouts. Auditing should already be enabled on the W2003 domain
    controller. Logon events for success and failure are recorded in the security log in
    Event Viewer after auditing has been enabled --- Steve

    "Mike Bazelon" <mbazelon@intellicomp.us> wrote in message
    news:79326516.0404241911.6e263308@posting.google.com...
    > I have a new Windows 2003 server which I migrated users from Novell
    > using MS services for netware sp2. The conversion did not have any
    > issues, but I am having issues with account expiration and lockout.
    > Accounts seem to expire within 24 hours. I have set the password
    > never expires check box, checked the global policies, looked through
    > ADSIedit, and used ALtools to look at the advanced options in the
    > account. The only option that works is the Account expires option.
    > If I set that ahead then the users will not see any more errors. Does
    > anyone have any advise? Thanks for your help.
    >
    >
    > Mike

  • Next message: CanNear: "MS DSS & DH CSP and certificate request"

    Relevant Pages

    • Re: Account lockouts
      ... for reusable passwords and the AAA infrastructures that rely upon them? ... In that context, account lockout policy -- duration, threshold, lockout ... > cracking attacks. ...
      (microsoft.public.security)
    • Re: Event 12294 SAM error
      ... webserver a domain controller? ... have and the Webserver have been scanned with Symantec 9.0 (latest ... Accounts are locked after a certain number of bad> passwords are provided ... so please consider resetting the password of the> account mentioned ...
      (microsoft.public.windows.server.active_directory)
    • Re: Security Breach in AD! Help!
      ... > about 5 minutes the user was removed from the built in admin group. ... > changed the default domain policy, the default domain controller policy, ... >> auditing of account logon for success and failure and account management ... >> success and failure in Domain Controller Security Policy. ...
      (microsoft.public.win2000.security)
    • Re: disable users while user is logged into the domain
      ... That article i read more and more before, but it does not state anything about "disabling" an account. ... Assigning an account lockout, which a domain controller performs to ... Changing the password on a domain controller computer account. ... The PDC emulator receives urgent replication of account lockouts. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Security Breach in AD! Help!
      ... about 5 minutes the user was removed from the built in admin group. ... Make sure you are using hard to guess passwords. ... > auditing of account logon for success and failure and account management for ... > success and failure in Domain Controller Security Policy. ...
      (microsoft.public.win2000.security)