Re: Windows 2003 Password Expiration
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/25/04
- Next message: radiok3pi: "Listen to the "Password Overload" song"
- Previous message: CanNear: "MS DSS & DH CSP and certificate request"
- In reply to: Steven L Umbach: "Re: Windows 2003 Password Expiration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 25 Apr 2004 04:00:29 GMT
I should also add to run netdiag and dcdiag on your domain controller first and if
that checks out OK with no failed tests/errors/warnings particularly for dns, dclist,
and domain membership then run netdiag on a couple of your workstations.
Misconfiguration of particularly dns in a W2K/W2003 domain can cause a lot of
problems [domain controller must point to itself and workstations to the DC as
preferred dns server] as can some security options. If that is the case, users may
also be unknowingly be logging on with "cached credentials" which can make it all the
more difficult in tracking down what the problem is. Netdiag and dcdiag are on the
install cd in the support/tools folder where you need to run setup. Make sure you
install the version for the proper operating system as installing the W2K version on
XP Pro or W2003 will not work right. --- Steve
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:LyGic.25681$IW1.1243556@attbi_s52...
> On the domain controller, try using the command "net user username" [substituting
> actual username] to see what it reports for a user account as far as expiring when
> you have it set to never in the user account properties. Are the accounts
themselves
> expiring or the passwords or both?? You may also want to check the maximum password
> age reported with "net accounts" on the domain controller. Also check that your
> account lockout threshold in Domain Security Policy is not too low and keep in mind
> that account/password policy can only be set at the domain level for domain users.
> Microsoft recommends no less than ten. Old passwords used in Scheduled Tasks and
> mapped drives are a common cause of account lockouts. Enabling auditing of logon
> events on the users workstations and any servers that they may use may prove
helpful
> in tracking down lockouts. Auditing should already be enabled on the W2003 domain
> controller. Logon events for success and failure are recorded in the security log
in
> Event Viewer after auditing has been enabled --- Steve
>
>
> "Mike Bazelon" <mbazelon@intellicomp.us> wrote in message
> news:79326516.0404241911.6e263308@posting.google.com...
> > I have a new Windows 2003 server which I migrated users from Novell
> > using MS services for netware sp2. The conversion did not have any
> > issues, but I am having issues with account expiration and lockout.
> > Accounts seem to expire within 24 hours. I have set the password
> > never expires check box, checked the global policies, looked through
> > ADSIedit, and used ALtools to look at the advanced options in the
> > account. The only option that works is the Account expires option.
> > If I set that ahead then the users will not see any more errors. Does
> > anyone have any advise? Thanks for your help.
> >
> >
> > Mike
>
>
- Next message: radiok3pi: "Listen to the "Password Overload" song"
- Previous message: CanNear: "MS DSS & DH CSP and certificate request"
- In reply to: Steven L Umbach: "Re: Windows 2003 Password Expiration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
