Frequent Account Lockouts

[djones2002]

Howdy.

We have a mixed bag on our stuff here (mostly 98 clients, with some 2k Pro SP4 thrown in). We have four Win2k Server SP4 servers, 3 of which participate in AD, with the other being a Terminal Server. About 3 weeks ago I set the Account Lockout Policy for the domain to the standard 3 attempts, etc; About 2 weeks ago I did a walk-around and updated the Win98 machines with a new DWORD in HKLM\Network\Logon called "MustBeValidated", with a default value of 1. For about a week now many people have been getting locked out of their accounts. The strange part is that someone might not even be trying to login, and their accounts get locked. Very strange.

We do also have a Netware 4.2 server in house that is functioning as a data server...wondering if the Service for Netware could be causing this problem. I don't believe it's the Novell server, but I just wanted to mention it.

Also, nobody on a Win2k box is having a problem.

Thanks for any info.

Dennis Jones

 

[markdmac]

I have seen this problem LOADS of times. Each time it was a problem with someone being logged onto more than one machien. They stay logged onto one computer. Forget they are logged in and go to another PC. They then change their password ont he second box. The first machien tries to authenticate against the DC about 4 times a day and as such passes the old password to the DC which of course locks out the user.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[mlichstein]

You mentioned that you are using the "standard" three attempts.

I dont know where people have gotten this standard, but it isn't Microsoft. The old recommendation that I would tell customer is a minimum of 10 attempts.

However, the latest recommendation is 50 attempts.

http://www.microsoft.com/technet/security/guidance/secmod61.mspx#XSLTsection131121120120

 

[GlenJohnson]

I believe the "standard 3 tries" comes from Novell. This is what I've seen on all Novell servers I've seen. Did this just start after updating the w98 machines, or did it start sooner? Good luck.

Glen A. Johnson
"Give the laziest man the hardest job and he'll find the easiest way to do it."

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

 

[djones2002]

The default in the Account Lockout threshold policy object is 3, no? I seem to remember clicking on "Define this Policy" and seeing it pop in there. I can't imagine why Microsoft or anyone would think 50 is a good threshold, as it would seem to me to make password guessing that much easier for an attacker.

Thanks for the info.

 

[GlenJohnson]

This is an exert from MS. The full site is

http://www.microsoft.com/technet/tr...ndowsserver2003/maintain/operate/BPACTLCK.asp

How Domain Controllers Verify Passwords


The client computer presents the user logon information to a domain controller. This includes the users account name and a cryptographic hash of their password. This information can be sent to any domain controller and is typically sent to the domain controller that is identified as the closest domain controller to the client computer.
When a domain controller detects that an authentication attempt did not work and a condition of STATUS_WRONG_PASSWORD, STATUS_PASSWORD_EXPIRED, STATUS_PASSWORD_MUST_CHANGE, or STATUS_ACCOUNT_LOCKED_OUT is returned, the domain controller forwards the authentication attempt to the primary domain controller (PDC) emulator operations master. Essentially, the domain controller queries the PDC to authoritatively determine if the password is current. The domain controller queries the PDC for this information because the domain controller may not have the most current password for the user but, by design, the PDC emulator operations master always has the most current password.
The authentication request is retried by the PDC emulator operations master to verify that the password is correct. If the PDC emulator operations master rejects the bad password, the PDC emulator operations master increments the badPwdCount attribute for that user object. The PDC is the authority on the user's password validity.
The failed logon result information is sent by the PDC emulator operations master to the authenticating domain controller.
The authenticating domain controller also increments its copy of the badPwdCount attribute for the user object.
The authenticating domain controller then sends a response to the client computer that notifies the domain controller that the logon attempt did not work.
As long as that user, program, or service continues to send incorrect credentials to the authenticating domain controller, logon attempts that failed because of an incorrect password continue to be forwarded to the PDC until the threshold value for incorrect logon attempts is reached (if you set it in a policy). When this occurs, the account is locked out.

For more information, see "How the Bad Password Count Is Incremented in Windows NT" in the Microsoft Knowledge Base.



Glen A. Johnson
"Give the laziest man the hardest job and he'll find the easiest way to do it."

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

 

[mlichstein]

^^
This is why, if you must use an account lockout policy, you should run SP4 or higher on all DCs, and turn on password history.

Password history will remember previously used passwords. If a user tries to logon with an old password, the DC will check the password history. If the password is in the history, it will deny access, but it will not increment the badPwdCount.

 

[djones2002]

Howdy Folks.

Thanks for the answers. I really appreciate them.

I apologize...I didn't mention something very important. We do not allow users to change their passwords, and we do not expire them (we force a change manually...not dealing with too many people). So, I think we can rule out them changing their PWs on different machines.

Thanks again for the info.

DJ