Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Win 2003 ADS users get locked out
Win 2003 ADS users get locked out [message #157348] Tue, 07 July 2009 02:37 Go to next message
DD  is currently offline DD  India
Messages: 80
Registered: July 2009
Member
Hi,
We have a Server 2003 network (2 Domain Controllers, 5 member servers, and
about 100 Windows XP SP3 clients). Off late we have noticed that the
random user would get into a lockout problem i.e all of a sudden their
account gets locked out. However, they do not get notified for any password
expiration or so. it happens again. It occurs while they are already logged
ie: the Internet Explorer starts looking for authentication done anything to
lock it out (ie: they haven't put in a bad password three times in
succession). We unlock their account and it workd fine for sometime and
again it might be locked out.



Best Regards,
DD.
Re: Win 2003 ADS users get locked out [message #157349 is a reply to message #157348] Tue, 07 July 2009 02:50 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello DD,

Check with lockout tools for starting:
http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

http://www.microsoft.com/downloads/details.aspx?familyid=7AF 2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Also check your systems for virus like conficker, which can also result in
lockouts:
http://support.microsoft.com/kb/962007

http://technet.microsoft.com/en-us/security/dd452420.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
> We have a Server 2003 network (2 Domain Controllers, 5 member servers,
> and
> about 100 Windows XP SP3 clients). Off late we have noticed that the
> random user would get into a lockout problem i.e all of a sudden
> their
> account gets locked out. However, they do not get notified for any
> password
> expiration or so. it happens again. It occurs while they are already
> logged
> ie: the Internet Explorer starts looking for authentication done
> anything to
> lock it out (ie: they haven't put in a bad password three times in
> succession). We unlock their account and it workd fine for sometime
> and
> again it might be locked out.
> Best Regards,
> DD.
Re: Win 2003 ADS users get locked out [message #157351 is a reply to message #157348] Tue, 07 July 2009 02:48 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

DD wrote:
> Hi,
> We have a Server 2003 network (2 Domain Controllers, 5 member servers, and
> about 100 Windows XP SP3 clients). Off late we have noticed that the
> random user would get into a lockout problem i.e all of a sudden their
> account gets locked out. However, they do not get notified for any password
> expiration or so. it happens again. It occurs while they are already logged
> ie: the Internet Explorer starts looking for authentication done anything to
> lock it out (ie: they haven't put in a bad password three times in
> succession). We unlock their account and it workd fine for sometime and
> again it might be locked out.

You need to turn on directory services auditing to gather event logs
which information when and where and with which type of logon the lock
out occured. It's hard to tell why lock outs occur without that piece of
information. Reasons could be:
- a malicious user trying to get those passwords
- a service/application that tries to authenticate with an old user password
- the conficker worm on an infected machine/on multiple infected machines
- a scheduled task with an old user password
- ..

Cheers,
Florian
Re: Win 2003 ADS users get locked out [message #157352 is a reply to message #157348] Tue, 07 July 2009 02:57 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"DD" <darshan.diora@infrasofttech.com> wrote in message news:O1cBfws$JHA.4692@TK2MSFTNGP02.phx.gbl...
> Hi,
> We have a Server 2003 network (2 Domain Controllers, 5 member servers, and
> about 100 Windows XP SP3 clients). Off late we have noticed that the
> random user would get into a lockout problem i.e all of a sudden their
> account gets locked out. However, they do not get notified for any password
> expiration or so. it happens again. It occurs while they are already logged
> ie: the Internet Explorer starts looking for authentication done anything to
> lock it out (ie: they haven't put in a bad password three times in
> succession). We unlock their account and it workd fine for sometime and
> again it might be locked out.
>
>
>
> Best Regards,
> DD.
>
>


Do you have account auditing enabled? If so, you can determine which machine, app/service or IP it is coming from.

Is there a scheduled task running using the account?

How about a service that may be using the account? Dump your service account credentials with the following batch file on the DCs or any other machine that you suspect a service is using the account name in question. Save it as service.bat, or whatever you like to call it, and run it.

---
@echo off
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s | find /i "objectname" >services.txt
notepad services.txt
exit
---

You can also try the following tools (EventCombMT & LockOutStatus.exe) to help pinpoint it. There's a tool in there called LockoutStatus.exe

Download details: Account Lockout and Management ToolsApr 22, 2003 ... EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location. LockoutStatus.exe. ...
http://www.microsoft.com/downloads/details.aspx?familyid=7AF 2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

How to use the EventCombMT utility to search event logs for ...This article describes how to use the EventCombMT utility (EventCombmt.exe) to search the event logs of multiple computers for account lockouts.
http://support.microsoft.com/kb/824209

EventCombMT.exe - A Good Tool To Collect Event Logs
http://msmvps.com/blogs/nuoyan/archive/2005/11/04/74367.aspx


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Re: Win 2003 ADS users get locked out [message #157361 is a reply to message #157348] Tue, 07 July 2009 03:48 Go to previous messageGo to next message
markdmac  is currently offline markdmac  United States
Messages: 139
Registered: July 2009
Senior Member
I've often seen this happen when a user is logged on to a computer or
terminal session somewhere and forget they are logged in. They later
change their password and the old session occasionally tries to
authenticate with the old credentials and it causes the lockout status.
Re: Win 2003 ADS users get locked out [message #157368 is a reply to message #157349] Tue, 07 July 2009 04:40 Go to previous messageGo to next message
DD  is currently offline DD  India
Messages: 80
Registered: July 2009
Member
Hi,
I have checked the event log, it shows as follows of the users whose account
is locked out.
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: umesh.desai

Source Workstation: ITL731

Error Code: 0xC0000234


Best Regards,>
DD
> Check with lockout tools for starting:
> http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx
>
> http://www.microsoft.com/downloads/details.aspx?familyid=7AF 2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
>
> Also check your systems for virus like conficker, which can also result in
> lockouts:
> http://support.microsoft.com/kb/962007
>
> http://technet.microsoft.com/en-us/security/dd452420.aspx
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hi,
>> We have a Server 2003 network (2 Domain Controllers, 5 member servers,
>> and
>> about 100 Windows XP SP3 clients). Off late we have noticed that the
>> random user would get into a lockout problem i.e all of a sudden
>> their
>> account gets locked out. However, they do not get notified for any
>> password
>> expiration or so. it happens again. It occurs while they are already
>> logged
>> ie: the Internet Explorer starts looking for authentication done
>> anything to
>> lock it out (ie: they haven't put in a bad password three times in
>> succession). We unlock their account and it workd fine for sometime
>> and
>> again it might be locked out.
>> Best Regards,
>> DD.
>
>
Re: Win 2003 ADS users get locked out [message #157371 is a reply to message #157361] Tue, 07 July 2009 04:45 Go to previous messageGo to next message
DD  is currently offline DD  India
Messages: 80
Registered: July 2009
Member
Hi,
I have enabled the directory service access but it do not show any logs.

est Regards,
DD
"
news:eXdNfdt$JHA.4432@TK2MSFTNGP05.phx.gbl...
> I've often seen this happen when a user is logged on to a computer or
> terminal session somewhere and forget they are logged in. They later
> change their password and the old session occasionally tries to
> authenticate with the old credentials and it causes the lockout status.
Re: Win 2003 ADS users get locked out [message #157387 is a reply to message #157348] Tue, 07 July 2009 08:15 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
I have a little tutorial on how to trouble shoot lock out problems at:

http://www.pbbergs.com/windows/articles.htm

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"DD" <darshan.diora@infrasofttech.com> wrote in message
news:O1cBfws$JHA.4692@TK2MSFTNGP02.phx.gbl...
> Hi,
> We have a Server 2003 network (2 Domain Controllers, 5 member servers, and
> about 100 Windows XP SP3 clients). Off late we have noticed that the
> random user would get into a lockout problem i.e all of a sudden their
> account gets locked out. However, they do not get notified for any
> password expiration or so. it happens again. It occurs while they are
> already logged ie: the Internet Explorer starts looking for authentication
> done anything to lock it out (ie: they haven't put in a bad password three
> times in succession). We unlock their account and it workd fine for
> sometime and again it might be locked out.
>
>
>
> Best Regards,
> DD.
>
Re: Win 2003 ADS users get locked out [message #157426 is a reply to message #157371] Tue, 07 July 2009 11:17 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"DD" <darshan.diora@infrasofttech.com> wrote in message news:Ot1lG4t$JHA.4984@TK2MSFTNGP05.phx.gbl...
> Hi,
> I have enabled the directory service access but it do not show any logs.

Did you enable Account Logon attempts? They will show up in the security logs.

Ace
Re: Win 2003 ADS users get locked out [message #157427 is a reply to message #157387] Tue, 07 July 2009 11:24 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message news:%237%23RyHx$JHA.5092@TK2MSFTNGP03.phx.gbl...
>I have a little tutorial on how to trouble shoot lock out problems at:
>
> http://www.pbbergs.com/windows/articles.htm
>

That's a good suggestion in your blog about using Netlogon debug flag!

Ace
Previous Topic:Re: Actvie Directory Database Corruption >Event ID 467 > Index of table datatable is corrupted
Next Topic:Failing DC
Goto Forum:
  


Current Time: Fri Oct 20 10:17:16 EDT 2017

Total time taken to generate the page: 0.05465 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software