Re: Windows 2000 users accounts get locked out
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/20/04
- Next message: Peter Kaufman: "Re: How good is W2K encryption"
- Previous message: Steven L Umbach: "Re: Local admin account rights"
- In reply to: Merrick: "Re: Windows 2000 users accounts get locked out"
- Next in thread: Merrick: "Re: Windows 2000 users accounts get locked out"
- Reply: Merrick: "Re: Windows 2000 users accounts get locked out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 May 2004 05:27:20 GMT
Event ID 642 will be recorded with every Event ID 644 -- that is normal. If you want
to modify password/lockout policy you have to do it at the domain level which would
be "Domain Security Policy" in a default installation - it will NOT work if you do it
in Domain Controller Security Policy.
Have you found any failed logon event ID's on any domain computer? That is the place
to start to track down the problem to see if you have an infected machine or what.
The error for ,***StartServiceW Failed!*** would only be pertinent if you found that
on a computer experiencing account lockouts AND the lockout time corresponded to the
time for that event in the alockout.dll log.
Have you had a chance to run netdiag and dcdiag on the domain controller and netdiag
on a domain client? If so did the results look good or were there any reported
problems? --- Steve
"Merrick" <anonymous@discussions.microsoft.com> wrote in message
news:eed101c43d78$7eb1fc20$a401280a@phx.gbl...
> Hi Steve,
> You have been a great help! I really appreciated it. As to
> my problem:
> 1.) I have disabled my accounts lockout policy in my
> domain contoller security policy but i still get accounts
> locked out, yes the administrator is always locked out.
> 2.) I have included 644 and 642 in my eventcomb and for
> every 644 i got one 642. MS provide very little
> information on 642 and am still trying to gather
> information on that. it seems like my secure channel is
> leaking.
> 3.) I have also planted alockout.dll in one of my clients
> and one particular line is worrying me: C:\WINNT\system32
> \svchost,***StartServiceW Failed!*** (0), Service:
> Service: Background Intelligent Transfer Service
> (C:\WINNT\System32\svchost.exe -k BITSgroup), RC was:
> Incorrect function. (1), GLE was: Overlapped I/O
> operation is in progress. (997): Any comment?
>
> Hope you can help! Many Thanks in advance!
>
>
> >-----Original Message-----
> >Hi again Merrick.
> >
> >If you have not done such, set your account lockout
> threshhold for number of
> >bad attempts to at least ten. You should be seeing failed
> logon attempts
> >such as Event ID 529 on some computers in the domain.
> These failed logons
> >could be on any computer in the domain - not just domain
> controllers. Be
> >sure you have auditing of "logon events" for failure
> which is different than
> >account logon events enabled in Domain Security Policy
> and Domain Controller
> >Security Policy. You may also need to configure it at the
> OU level if you
> >are using Organizational Units with their own Group
> Policies that have
> >auditing disabled. You can check the Local Security
> Policy of any domain
> >computer and look at the "effective" settings for
> auditing to see if it is
> >enabled. Those failed logon events will give a lot of
> helpful info on why
> >the logons are failing and from what computers the logon
> attempts are coming
> >from.
> >
> >In addition I would run some diagnostics on the domain
> controller and then a
> >couple domain computers. First run netdiag on the domain
> controller looking
> >for any failed tests/errors/warnings particularly
> relating to dns, domain
> >membership, and dclist. Then run dcdiag on the domain
> controller looking for
> >failed tests again. After that do the same with netdiag
> on one of the domain
> >members. On the domain controller and domain member run "
> netdiag
> >/test:ipsec " which will show if an ipsec policy is
> assigned that can cause
> >problems in a domain. You can post results here in a
> reply if any problems
> >are found. Those tools are found on the install cdrom in
> the support/tools
> >folder where you will need to run the setup there. --
> Steve
> >
> >
> >"Merrick" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:e7fb01c43cb0$4343bd40$a001280a@phx.gbl...
> >> Hi guys! thanks for the help. I have scan my firewall as
> >> suggested by Steven and all my ports are secured. I have
> >> also increase my password threashold to 10 minutes. I
> have
> >> patched all my software for my servers and users. All my
> >> users are using Windows 2000 only. I have also rename my
> >> administrator for my server. I have downloaded
> EventCombMT
> >> from MS and managed to search all my events log. I have
> a
> >> long list of event ID: 644. Yet when i go through the
> list
> >> I still don't understand why my users are getting locked
> >> out! This happened suddenly and I have never changed any
> >> thing to my servers. My accounts is still getting locked
> >> out and yet I still dont know why! Please help. Many
> >> thanks in advance!
> >> Merrick
> >
> >
> >.
> >
- Next message: Peter Kaufman: "Re: How good is W2K encryption"
- Previous message: Steven L Umbach: "Re: Local admin account rights"
- In reply to: Merrick: "Re: Windows 2000 users accounts get locked out"
- Next in thread: Merrick: "Re: Windows 2000 users accounts get locked out"
- Reply: Merrick: "Re: Windows 2000 users accounts get locked out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
