Re: Automatically user lockout - big problem

From: Juan (Juan_at_discussions.microsoft.com)
Date: 04/16/05

• Next message: Juan: "Re: Automatically user lockout - big problem"
• Previous message: Ken Schaefer: "Re: Removing SPA from POP3 service of Windows 2003 Server"
• In reply to: Steven L Umbach: "Re: Automatically user lockout - big problem"
• Next in thread: Steven L Umbach: "Re: Automatically user lockout - big problem"
• Reply: Steven L Umbach: "Re: Automatically user lockout - big problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sat, 16 Apr 2005 07:37:05 -0700

Hi Steven!

EventCombMT was a really good tipp. Thanks!
I've found out that there was a "zombie" session on a terminal server.

Thanks

Juan

PS: What is Netlogon logging? Can you enable it like Kerberos logging (in
the registry)???

"Steven L Umbach" wrote:

> Does this happen to all administrators or just these three?? Is it happening
> to any other users?? Check the security logs of the domain controllers to
> see if any helpful information is recorded. You will have to look in the
> security logs of all the domain controllers. By default logging of account
> logon events should be enable for Windows 2003. If auditing of account
> management is not enabled for auditing, enable that also. You might want to
> try using netlogon logging to see what the source computer or computers are
> causing this via traceback to originating computer. If you enable auditing
> of logon events on domain computers an even will be recorded in the security
> log of the domain computer where the account was locked out and if it was a
> type 3 network logon it will show the source computer of the lockout. Event
> Comb can be used to scan domain computers for that account lockout event.
> If you are sure of the computer and can not track down the problem you may
> be better off reinstalling the operating system on those computers. Another
> possibility would be to install a personal firewall on the computer and wait
> for it to attempt to contact a domain controller or another computer at the
> hourly interval. The firewall probably would list the process that is trying
> to contact the remote computer. Sygate is great for such a purpose. As far
> as account lockout, Microsoft recommends that the account threshold be no
> less than ten bad attempts. --- Steve
>
>
>
> "Juan" <Juan@discussions.microsoft.com> wrote in message
> news:625CE6C8-8163-4163-B326-34D86CF1D930@microsoft.com...
> > Hello,
> >
> > we're running a W2K3 Active Directory. After deploying MS05-010, MS05-011
> > and MS05-012 on all our DCs, three of my colleagues are locked out
> > automatically every hour. - One of them has changed his passwords a few
> > days
> > ago.
> >
> > In general this happens if you enter a wrong password more that a couple
> > of
> > times, but they are sure that they are using the right passwords. - All
> > admin
> > colleagues - no stupid users ...
> >
> > I've examined the security logs using Microsofts Account Lockout and
> > management tools.
> > (http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en)
> >
> > The only thing that I can see is that the workstations on which my
> > colleagues are working from are the issuer of the request.
> >
> >
> > Can you confirm any relation to the hotfixes? Have you other ideas to
> > help?
> > Are there other tools to install on a client to check which application is
> > trying to authenticate using bad credencials? (Better than the the
> > ALockout.dll does?)
> >
> >
> > We've checked for:
> > - mapped drives
> > - Locked servers
> > - Mapped printers
> > - Client Management applications
> > - Open sessions on terminal services
> >
> > - > No way. No idea.
> >
> >
> > Thanks in advance
> >
> >
> > Juan
>
>
>

---

• Next message: Juan: "Re: Automatically user lockout - big problem"
• Previous message: Ken Schaefer: "Re: Removing SPA from POP3 service of Windows 2003 Server"
• In reply to: Steven L Umbach: "Re: Automatically user lockout - big problem"
• Next in thread: Steven L Umbach: "Re: Automatically user lockout - big problem"
• Reply: Steven L Umbach: "Re: Automatically user lockout - big problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Automatically user lockout - big problem ... Netlogon logging allows you to examine the netlogon ... process on domain controllers and you can usually use it to find out the ... If auditing of account ... >> try using netlogon logging to see what the source computer or computers ... (microsoft.public.windows.server.security) Re: preventing user account lockout in Active Directory ... "Account lockout duration" = 1 minute ... the account lockout policy settings must be set ... setting it in a GPO that applies against the domain controllers OU. ... (microsoft.public.cert.exam.mcsa) Re: Automatically user lockout - big problem ... Check the security logs of the domain controllers to ... By default logging of account ... Comb can be used to scan domain computers for that account lockout event. ... (microsoft.public.windows.server.security) Re: preventing user account lockout in Active Directory ... Organizational Unit so I could give it it's own GPO. ... is configured by the GPO is "Account lockout threshold" and that is set to ... applies against the domain controllers OU. ... (microsoft.public.cert.exam.mcsa) RE: 529 Logon Failures - 138 Events ... Enable complicated password policy is not same as using complicated ... Note: you can find the Default Domain Controllers policy here: ... Configure account lockout policy. ... The account lockout policy only effect on the user account, ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)