NT Account Lockouts

[piaknow]

Hello,
I am challenging someone out there to give me a concrete answer on this problem . (NT 4 SP6) Since implementing a new login security policy we have been getting account lockouts on too many users. Something is going on other than just user error typing password,etc.
Our Guru has told me that this is happening cos the local BDC's have not synched up with the PDC. (SAM Synch).WE have many bdc's thruout the state. OK that seems likely but how is it when a user calls me with an account lockout and I unlock the account the change is done immediately and they can login? Doesn't that constitute a synch with the PDC right at that point? yet they call me back with another lockout THnks in advance for input Piaknow

 

[jojo73]

I'm no help for you right now and I'm having the same problem but I'll let you know as soon as I find something out how to fix this one.

 

[Killman]

Are you running SMS 1.2 on your Network?

 

[Killman]

Does Event ID: 644 show up in the Security logs on the PDC?

 

[piaknow]

Hello Killman:
No we don't use SMS. As for the security logs I don't have easy access to them but arn't 644 errors just Account Lockouts? If so I would expect to see many as we experience many lockouts.

Thnks,
Piaknow

 

[Killman]

Yes this would tell you whether the lockouts are actually users messing up or that there is something else wrong. I wouldnt be supprised by the number of lockouts you get after recently implementing a policy that hasnt always been in place. I set up a policy at a company that had never had any security policies before and there were several months of users getting locked out until the calls died down. Users have a hard time with security policies put in place after the fact, they get use to a certain way of doing things, then bam, they actually need to remember a password (Post its stuck to there minitors).
The key is the event log, if set up, it will show that users are trying to login several times before lockout. There are issues with account lockout, especially in mixed NT/2000 domains.

 

[piaknow]

KIllman,
THnks for input. Do the security logs need to be enabled on the local BDC's(Since they do the authentication) or on the PDC?
Also as part of this new policy we pushed we have a screensaver that kicks off automatically when a user has no activity on pc after 17minutes (It thenLOcks PC) I have a large percent of these WS locks that seem to call me and say they can't unlock their pc. I have to unlock their account and sometimes even need to reboot and then seems to be OK
THnks,
Piaknow

 

[Killman]

This event will show up on all DC's. There accounts will also lockout if they use the wrong passwords when unlocking screensavers. Was there notification to the users with tutorial when these changes were made? I find that a little user training helps reduce the calls.

 

[SgtB]

If you "guru" is right about the BDC's not synching with you PDC then you'll receive some NETLOGON errors on your PDC.
Event ID: 5712

http://www.eventid.net/display.asp?eventid=5712&source=

Or an error like this.

You'll need to get access to your security logs in order to give yourself peace of mind. Listen to Killman about the details in the logs.

My opinion...new security policy...users are not remembering their passwords. I've had some users that never turn their machine off or reboot, simply so they don't have to logon. Weird eh? Users can be pretty strange. ________________________________________
Check out

http://www.security-forums.com

 

[gensan]

You may also try looking at mapped shares. Users may connect to shares using another account.

 

[piaknow]

Gensan,
WE have a lot of users with mapped shares and login scripts.
I'm afraid I don't understand how this could result in locked accounts. Could you elaborate.
Also if anyone give me an answer to my question in my first post if unlocking the account constitutes a synch I would appreciate.

Thnks in advance

 

[SgtB]

If you change a users password, and then that user can use that password within 5 minutes or so, then it is NOT a synch problem. Check my post, and then follow the link. The microsoft site will tell you what to look for in the event viewer if you are having synch problems.

Mapped drives could have an effect if a user was trying to access other network shares using someone else's user name. This would indicate malicious activity on your network.

We need to see a fail entry from the security log on the PDC or BDC. Could you post that? I know you said you don't have access, but it would still be helpful. ________________________________________
Check out

http://www.security-forums.com

 

[damo26]

I too am experiencing similar issues. What client OS are you running? If you are using Win9x clients, then Microsoft KB article Q271496 contains information that may be useful in this scenario. I also have a hotfix related to this article, which I will forward to you if you wish to post your address.

 

[tpk613]

I am not sure if you received a resolution to this problem yet, but I had a similar problem today and it appeared to be someone from the outside trying to get into our Exchange server and it almost looks like some how they got our user list, because of the sequence in which they treid to logon in and locked out 3 times after each user name simultaneously. Let me know if you received any answers to this right now I am investigating. Thanks.