Re: Account Being Locked Somewhere

Hi Andrew,

Just as an aside, I set TS sessions to get scrubbed after being disconnected
to
so long, precisely to avoid such issues and to conserve availability of,
ensure
sharing of the two available administrative RDP sessions. I then just
advise
those allowed that if they are intending to run a long process in the
backbround,
disconnected, that they have a time limit (and need to log in and wiggle a
mouse).

Roger

"Andrew Hayes" <AndrewHayes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23rgeB9cxGHA.980@xxxxxxxxxxxxxxxxxxxxxxx
Turned on all the auditing and waited for it to be locked. Saw this:

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Date: 8/22/2006
Time: 4:53:39 PM
User: NT AUTHORITY\SYSTEM
Computer: DOMAINCONTROLLER
Description:
User Account Locked Out:
Target Account Name: USER
Target Account ID: DOMAIN\USER
Caller Machine Name: DATABASESERVER
Caller User Name: DOMAINCONTROLLER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x000)

It seems he had an old Remote Desktop Connection to the database server
that he had logged in with an old password. Rather than logging off, he
had just closed the window which kept the RDC session open. It must be
occasionally trying to connect using the supplied credentials for some
reason.

Connected to the database server, ran Terminal Services Manager, and
logged him off.

Will see if that was the only culprit.




.

Relevant Pages