Re: Windows 2000 users accounts get locked out
From: Merrick (anonymous_at_discussions.microsoft.com)
Date: 05/23/04
- Next message: orion: "Re: Problem with Policy Editor"
- Previous message: Justin: "Re: My computer has locked me out"
- In reply to: Steven L Umbach: "Re: Windows 2000 users accounts get locked out"
- Next in thread: Steven L Umbach: "Re: Windows 2000 users accounts get locked out"
- Reply: Steven L Umbach: "Re: Windows 2000 users accounts get locked out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 22 May 2004 23:38:18 -0700
Hi Steve
Those machine names I mentioned are not in my network. I
have no idea why my users which are valid and the network
domain name which is also valid were locked out from funny
machine names! I have tried to capture 529 and 681 but my
eventcomb did not managed to find any of those errors.
As for my firewall, I have tried to scan them from outside
and my ports are blocked.
One thing for sure is when all my users are gone for the
day, no more locked out happen. But once they are back for
work, the locked out happens again. Apparently the locked
out issues were not someone trying to come in from beyond
my firewall.
I am still trying to figure out where the locked out
happen. Thanks for the help though!
have a great weekend!
>-----Original Message-----
>Hi Merrick.
>
>You say that those machines are on your network or not??
Can you ping those machines
>by their name and get a response? The caller machine is
the name of the machine that
>the user was attempting to logon from at the time of the
lockout. If those computers
>are on your network, you need to find out why they are
trying to logon as your users,
>such as a virus infection. If they are not from your
network then how are they
>getting access? You said your firewall is configured
correctly? Is your firewall
>allowing any access from the internet such as a web site,
vpn, or Terminal Services?
>The event ID displays what user is locked out and from
what machine but if you can
>find any failures for logons on any domain machine such
as 681 or 529, that would be
>helpful as it will help determine what domain computers
are being targeted for these
>failed logon attempts and then you could use a packet
sniffer such as Ethereal to
>monitor the traffic from the machine causing the lockout
to possibly help determine
>what is going on.. --- Steve
>
>"Merrick" <anonymous@discussions.microsoft.com> wrote in
message
>news:1021301c43f28$407ea5a0$a601280a@phx.gbl...
>> Hi Steve and serverguy
>>
>> Great help!
>> Yes i did a netdiag and seems ok but dcdiag generated
some
>> errors: one of which: "[warning] The DNS host name 'xxx'
>> valid only on Windows 2000 DNS servers. [DNS_ERROR-NON-
>> RFC_NAME], [WARNING] Cannot find a primary
authoriatative
>> DNS server for the name 'xxxx' may not be registered in
>> DNS"
>> Managed to read up some issues and rerun dcdiag and
>> cleared all the erros. Still my accounts get locked out.
>> The worst is my event log from eventcomp shows that my
>> valid users are being locked out by all sorts of foreign
>> manchine name, one of which is this:
>> 644,AUDIT SUCCESS,Security,Fri May 21 16:06:46 2004,NT
>> AUTHORITY\SYSTEM,User Account Locked Out: Target
>> Account Name: "valid user id" Target Account ID: %
>> ("numbers") Caller Machine Name: ANGEL Caller
User
>> Name: "my servername"$
>>
>> The Caller Machine Name: Angel is a remote machine name
in
>> my network. I have no idea what is that! A few others
>> Caller Machine Name are PROXYSRV, GNSERVER,
SERVIDOR ..??
>> what are those!?. Am trying to scan all my users for
virus
>> now.
>>
>> Thanks for helping !
>> Regards
>> Liew
>>
>> >-----Original Message-----
>> >Event ID 642 will be recorded with every Event ID 644 -
-
>> that is normal. If you want
>> >to modify password/lockout policy you have to do it at
>> the domain level which would
>> >be "Domain Security Policy" in a default installation -
>> it will NOT work if you do it
>> >in Domain Controller Security Policy.
>> >
>> >Have you found any failed logon event ID's on any
domain
>> computer? That is the place
>> >to start to track down the problem to see if you have
an
>> infected machine or what.
>> >The error for ,***StartServiceW Failed!*** would only
be
>> pertinent if you found that
>> >on a computer experiencing account lockouts AND the
>> lockout time corresponded to the
>> >time for that event in the alockout.dll log.
>> >
>> >Have you had a chance to run netdiag and dcdiag on the
>> domain controller and netdiag
>> >on a domain client? If so did the results look good or
>> were there any reported
>> >problems? --- Steve
>> >
>> >"Merrick" <anonymous@discussions.microsoft.com> wrote
in
>> message
>> >news:eed101c43d78$7eb1fc20$a401280a@phx.gbl...
>> >> Hi Steve,
>> >> You have been a great help! I really appreciated it.
As
>> to
>> >> my problem:
>> >> 1.) I have disabled my accounts lockout policy in my
>> >> domain contoller security policy but i still get
>> accounts
>> >> locked out, yes the administrator is always locked
out.
>> >> 2.) I have included 644 and 642 in my eventcomb and
for
>> >> every 644 i got one 642. MS provide very little
>> >> information on 642 and am still trying to gather
>> >> information on that. it seems like my secure channel
is
>> >> leaking.
>> >> 3.) I have also planted alockout.dll in one of my
>> clients
>> >> and one particular line is worrying me:
>> C:\WINNT\system32
>> >> \svchost,***StartServiceW Failed!*** (0), Service:
>> >> Service: Background Intelligent Transfer Service
>> >> (C:\WINNT\System32\svchost.exe -k BITSgroup), RC was:
>> >> Incorrect function. (1), GLE was: Overlapped I/O
>> >> operation is in progress. (997): Any comment?
>> >>
>> >> Hope you can help! Many Thanks in advance!
>> >>
>> >>
>> >> >-----Original Message-----
>> >> >Hi again Merrick.
>> >> >
>> >> >If you have not done such, set your account lockout
>> >> threshhold for number of
>> >> >bad attempts to at least ten. You should be seeing
>> failed
>> >> logon attempts
>> >> >such as Event ID 529 on some computers in the
domain.
>> >> These failed logons
>> >> >could be on any computer in the domain - not just
>> domain
>> >> controllers. Be
>> >> >sure you have auditing of "logon events" for failure
>> >> which is different than
>> >> >account logon events enabled in Domain Security
Policy
>> >> and Domain Controller
>> >> >Security Policy. You may also need to configure it
at
>> the
>> >> OU level if you
>> >> >are using Organizational Units with their own Group
>> >> Policies that have
>> >> >auditing disabled. You can check the Local Security
>> >> Policy of any domain
>> >> >computer and look at the "effective" settings for
>> >> auditing to see if it is
>> >> >enabled. Those failed logon events will give a lot
of
>> >> helpful info on why
>> >> >the logons are failing and from what computers the
>> logon
>> >> attempts are coming
>> >> >from.
>> >> >
>> >> >In addition I would run some diagnostics on the
domain
>> >> controller and then a
>> >> >couple domain computers. First run netdiag on the
>> domain
>> >> controller looking
>> >> >for any failed tests/errors/warnings particularly
>> >> relating to dns, domain
>> >> >membership, and dclist. Then run dcdiag on the
domain
>> >> controller looking for
>> >> >failed tests again. After that do the same with
netdiag
>> >> on one of the domain
>> >> >members. On the domain controller and domain member
>> run "
>> >> netdiag
>> >> >/test:ipsec " which will show if an ipsec policy is
>> >> assigned that can cause
>> >> >problems in a domain. You can post results here in a
>> >> reply if any problems
>> >> >are found. Those tools are found on the install
cdrom
>> in
>> >> the support/tools
>> >> >folder where you will need to run the setup
there. --
>>
>> >> Steve
>> >> >
>> >> >
>> >> >"Merrick" <anonymous@discussions.microsoft.com>
wrote
>> in
>> >> message
>> >> >news:e7fb01c43cb0$4343bd40$a001280a@phx.gbl...
>> >> >> Hi guys! thanks for the help. I have scan my
>> firewall as
>> >> >> suggested by Steven and all my ports are secured.
I
>> have
>> >> >> also increase my password threashold to 10
minutes. I
>> >> have
>> >> >> patched all my software for my servers and users.
>> All my
>> >> >> users are using Windows 2000 only. I have also
>> rename my
>> >> >> administrator for my server. I have downloaded
>> >> EventCombMT
>> >> >> from MS and managed to search all my events log. I
>> have
>> >> a
>> >> >> long list of event ID: 644. Yet when i go through
the
>> >> list
>> >> >> I still don't understand why my users are getting
>> locked
>> >> >> out! This happened suddenly and I have never
changed
>> any
>> >> >> thing to my servers. My accounts is still getting
>> locked
>> >> >> out and yet I still dont know why! Please help.
Many
>> >> >> thanks in advance!
>> >> >> Merrick
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>
- Next message: orion: "Re: Problem with Policy Editor"
- Previous message: Justin: "Re: My computer has locked me out"
- In reply to: Steven L Umbach: "Re: Windows 2000 users accounts get locked out"
- Next in thread: Steven L Umbach: "Re: Windows 2000 users accounts get locked out"
- Reply: Steven L Umbach: "Re: Windows 2000 users accounts get locked out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
