Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Domain users Accounts Locked

Status
Not open for further replies.

dineshparikh

Technical User
Aug 28, 2002
53
GB
Hi all,

From last seven or eight days my domain user accounts start getting locked now and then.Only thing i have changed in policy is i set Account locked out after 3 bad logon, earlir it was blank.

And after that some of my domain users says though they are logging for the first time for the day and they found their account locked.I am just wondering what could be wrong?

My Account policy setting are as below

· Maximum Password Age set to 30 Days
· Minimum Password Length set to 6 Characters
· Account Lockout after 3 bad logon attempts.
· Reset Count After 21600 minutes
· Minimum Password Age Changes in 1 days.
· Password Uniqueness should be set to 12
· Lockout Duration set Forever (until Admin unlocks).

I am running login scripts for drive mapping.

Rgds,
Dinesh

 
Isn't 21600 minutes (360 hours) a bit extreme?
Are you sure that isn't why they are being locked out?

Usually that is set to something like 30-minutes... [auto] MCSE NT4/W2K
 
I would change the lockout time to about 15 or 20 minutes.
Not sure how it is in your organization but in ours
we have users that use different computers. I would
make sure they understand they have to put their
username in and make sure caps lock is off. I have
seen users lock other peoples accounts because they
didn't change the username.


Larry
 
Account lockout reset should actually be 1440 (24hrs).
I am also experiencing similar issues, with Win9x clients logging onto an NT4.0 domain. Check out the following KB article on MS site Q271496.
 
IF you have a password change policy as well.. and a user has changed their password lately -- and you have something like McAfee which uses the user's domain account as a server starter .. whenever that server attempts a restart with that account ... and fails .. it'll lock the account.

I'd start looking at Services as the culprit. Alshrim
System Administrator
MCSE, MCP+Internet
 
it will effect the admin password too. yup. Alshrim
System Administrator
MCSE, MCP+Internet
 
I get this a lot in my locale, and 100% of the time, thus far anyway, it has been caused by a user who is logged onto one machine (usually in the lab, or at a another user's desk) who then changes their password on another (usually their own machine.) Most denied they were logged on elsewhere, but eventually we found it ;-)

Good luck.
 
The admin account (where it is still called that!), would normally have the setting password never expires enabled.
I my case, our users do not multiposition themselves at different machines, so that rules out that solution. Microsoft do not seem to have a lot of information on this problem on their website, has anyone else found this?
 
again .. like i was saying .. applications that people install that require a service account -- that, by default, uses the user's account could cause this problem..

I always suggest to check this .. and set the service to start with the System Account. Alshrim
System Administrator
MCSE, MCP+Internet
 
I don't think I've ever seen an application use the user's UN to start a service by default. That needs to be specified by the user directly.
In order to do what you're saying, the application in question would need to be able to read windows passwords without user intervention.

What applications have you seen that do this? ________________________________________
Check out
 
McAfee Antivirus is such an application. Alshrim
System Administrator
MCSE, MCP+Internet
 
LOL Alshrim
System Administrator
MCSE, MCP+Internet
 
I was just going to mention McAfee as well.

I inherited a network a few years ago and had problems with people's accounts getting locked mysteriously.

It turned out that when McAfee was originally installed, it was told to use the local user's account and password. The password naturally changed a few months down the road, but McAfee didn't realize that.

McAfee would repeatedly try to start and fail due to invalid logins and cause user accounts to lockout.

Fortunately I had the workstations redone and set up centralized AV management.
 
Dineshparikh,

I am very interested in any info on this problem. I have read responses listed above and none of these scenarios applies to my network's account lockout problem. Not mcafee,multiple logins,etc. Our problems started like yours after enabling account lockouts after 3 (ours5)bad login attempts. I believe and know my users who say that they can just walk in in the morn and attempt to login with just one attempt and get locked out. Maybe some software bug with the number of account before locking out field?
I have asked for help on this problem from this and other tech sites and to this point I have NO concrete answer.
Is there anyone out there who can add something to this mystery!

Thnks,
Piaknow
 
Check your event viewer security tab for auth failures. Could be someone is trying to hack accounts.
 
If you are in a mixed mode environment, 2K and NT4, with Active Directory, you can get the error message that the account is locked out; when you check the account you will find that the account itself is NOT locked out. This is a computer password issue not a user password issue. Every 30 days (by default) the password for the system (computer)is changed and NT is not good at synchronizing the password change with 2K.
 
Hi,

I would have to agree with Piaknow. Set account lockout to 5 attempts. My network also had McAfee but we used a repository server and therefore never had any problems with McAfee. I am a believer in McAfee but not Norton. If you get McAfee working on a repository server, the rest is history and it works like a charm.

What about DC replication? Maybe it's too slow to replicant the account change? Maybe you are making a change to an account on a DC but it's taking too long to replicate to the other DC's. Always force sycnonisation on your PDC when making changes to account password changes. You can test this on a test user account.

GRW78
MCP(W2K) MCSA(W2K)
 
We seem to be having the same problem here: accounts get locked out, sometimes when they are in session (suddenly getting a prompt for a password when trying to print, or suddenly can't save a file to the home drive).

NT4 domain, 2 DCs - sync'ing regularly with no errors. 1 Windows 2000 member server (file server, intranet). Happens to both Win98 and Win2K users, but only a handful of users get bit. Some of them several times each day. No pattern...

Any clues/suggestions/ideas/magic?

thanks
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top