-help-my domain accounts are gettng LOCKED every few seconds 4

[notShai]

--my accounts are gettng LOCKED every few seconds--

have two 2003 domain servers - one primary the other not.

earlier today i was asked to apply for the second time (first time wasnt successful, policy just worked on local accounts etc) an account lock out policyt and password complexity policy. i used the Domain security policy and Domain controller security policy (wasnt sure which one would apply to the domain - yes it isnt so clear to me).

soon after, my SQL server (using windows auth) jobs started fialing and users called in to complain. this is a few hours later and i still cant reset everything.

I think the domain user DB gone corrupt? i chencged the domain and controler policies back to none / disabled etc and it is still locking (ACCOUNT LOCKED is checked) my users with high frequency. i also tried do not inherit in the domain global settings that didnt help.

i wrote a quick bat file to unlock the primary SQL users so the jobs keep run [net user userloginname /active:yes]but the domain admin in charge of running the schedule taks also gets locked. its a mess.



any advice can help.

i dont know how to use vbs etc but willing to do anything to fix this.

 

[IllogicallyLogical]

There can only be a single password policy in an Active Directory domain. For the policy to work it has to be linked to the root of the domain. If you are going to define this policy using the default policies setup for the domain, then you would only configure the 'Default Domain Policy'. However, Microsoft does not recommend editing these default policies as disastrous events can happen if not edited properly (as you are now aware). Rather, they recommend creating a new GPO and linking it to the root container for the domain and setting a higher priority if you need to configure settings different than the default. Make sure the settings you changed are properly changed back to the way they were or to their defaults before this issue happened. Below will be some links to valuable information that describe the default settings for these policies and best practices for configuring the settings you are wanting to do.

The following link provides the default values for the 'Default Domain Policy' and the 'Default Domain Controller Policy'. Compare your settings to the values listed in the article.

- Account Policy Settings

http://technet.microsoft.com/en-us/library/cc757692(WS.10).aspx

Here are some links to informative articles on properly configuring the settings you are after.

(The first article below shows the old way of configuring Group Policy using 'ADUC'. I assume you are using 'GPMC' to accomplish this task.)

- Enforcing Strong Password Usage Throughout Your Organization

http://technet.microsoft.com/en-us/library/cc875814.aspx

- Implementing and Troubleshooting Account Lockout

http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html

Joey
CCNA, MCSA 2003, MCP, A+, Network+, CWTS

 

[nicknamero]

If I remember , conficker virus, sometimes make this issues.
Are you clean?

 

[notShai]

[hi, good thought about the conficker, but no...
we actually had conficker in the past and its all flushed now.]

Joey - thank you very much. restoring everything to the MS defaults per that link and also per the DC sec policy mmc seems to have fixed the issue. At least it has been almost an hour and no account locks happened.

Based on that i am guessing the changes i made to that policy must have looped into each other somehow and caused a locking.

My next task is to figure out how to implement the required security policy - 8 chars passwords, complexity level, and the biggest problem - 15 minutes idle account lockout.

the issue with that is that i need some domain accounts which run some services and jobs to never lock. do i need to create a new group policy, enter the entire domain accounts into it and exclude only the accounts i want to not be affected? is that even possible? (i dont know HOW to exclude).

thank you again

 

[Titleist]

notShai,

Are you seriously wanting to lockout idle accounts??? This would have the effect that you experienced earlier. Did you want the screen saver to kick in after 15 minutes instead?

John

 

[58sniper]

As was mentioned earlier, you can have only 1 password policy in a 2003 forest. That's been changes in 2008.

Also as mentioned, create a new GPO, and set the required settings, and link it to the root. Set your service accounts to never expire.

As Titleist mentions, I wouldn't recommend locking out idle accounts (just because I'm away from my desk doesn't mean I should get locked out). Setting up the old screensaver method of logging them off might work.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[notShai]

i see, i think i confused the lock account policy with the screen saver password rule.

is that local setting (screen saver password) manageable via the domain? (gpo)
or perhaps can be scripted for a push to all workstations?

whats an acceptable procedure for when a user forgets her password when her workstation locks up? can an admin push an unlock command? or does the admin needs to remote session (vnc etc) to unlock the user / reset password?

 

[Titleist]

notShai,

The screen saver timeout can be controlled through a GPO. We have ours set at the domain level(a new policy not the default domain policy). It's found at User Config\Admin Templates\Control Panel\Display

To answer the second part of your question, the user account not the workstation gets locked out and usually a quick call to the Helpdesk can have the account unlocked (using ADUC).

John