Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

user constantly locked out

Status
Not open for further replies.

brettums

IS-IT--Management
Dec 27, 2000
121
US
A user on my network constantly gets locked out for no apparent reason. I'm usung 5 timeout trys if a user does not know their password. However, this user puts in their password once, and then bang. they are imediatly locked out. What do you suggest I do about this?

Please advise

thanks
-Brett
 
One more thing that is happening at random, a user tries to login and gets No Domain Avail. their account is not locked and I found if they let it sit at the logon box for at least 4 minutes they gain access! This happens at anytime of the day...
 
That sounds strange. Is the machine dogging on other things? like starting apps, etc. with the recent bouts with worms I have seen issues like this. Also check your local policies. As for this problem, still getting the best of me. I recreated the local problem child's profile yesterday but it didn't fix the issue. Everything in my mind says this is user object related (then in turn with local cached credential info) so I guess I go there next. I actually seen the account lock itself out (while I had a remote desktop from the problem child to the local DC) and didn't do a thing....almost like this mess is being replciated to me....the DC is W2k/SP3 which is not supposed to have this issue.....I have a clue this morning with this local person though....from a powered off machine, she was able to login (OK account should be cool) but then when she opened outlook (which is not available offline or syncing) she got prompted for a password. I find this strange because the profile is setup to use Password Authentication (pump the logged on credentials) which should have been right....then of course I find the thing locked....I am going crazy with hypothetical crap....any idea is greatly appreciated....thanks,T
 
im pretty sure, at least in my case, the problem is/was exchange related.
Anyways, Users were getting locked out so I started looking at all the events on the servers to see what I could find. I had been reorganizing exchange and had moved the Exchange Domain Servers and Enterprise Domain Servers out of the Users OU in Active Directory. (Didn't know they have to stay there)
My Exchange server was also giving me some error (can't remember the no. now) that it didn't have access to our domain. So, and I don't know if this ws the best action... using ADSI edit I gave my exchange server full control over the domain.
errors went away, no lockouts anymore.
 
That sounds strange. Is the machine dogging on other things? like starting apps, etc. with the recent bouts with worms I have seen issues like this. Also check your local policies. As for this problem, still getting the best of me. I recreated the local problem child's profile yesterday but it didn't fix the issue. Everything in my mind says this is user object related (then in turn with local cached credential info) so I guess I go there next. I actually seen the account lock itself out (while I had a remote desktop from the problem child to the local DC) and didn't do a thing....almost like this mess is being replciated to me....the DC is W2k/SP3 which is not supposed to have this issue.....I have a clue this morning with this local person though....from a powered off machine, she was able to login (OK account should be cool) but then when she opened outlook (which is not available offline or syncing) she got prompted for a password. I find this strange because the profile is setup to use Password Authentication (pump the logged on credentials) which should have been right....then of course I find the thing locked....I am going crazy with hypothetical crap....any idea is greatly appreciated....thanks,T
 
sorry for the double post. I just had a situation where the user object was locked out and when I called the user to see what type of issues or messages they received, she said she has been fine on mail and file systems....I unlocked it anyway...but how strange is that?
 
I am a network admin that has the same problem. My account is the one locking out, and I do think it is something to do with the old passwords, and something I use holding that password for access to the network. And everytime it does, it locks me out. But, becuase I have admin rights, it doesn't effect me untill i need to log in from startup.

We run a Win2003 server with AD, and exchange 2003, so, to those thinking an upgrade to AD will help, guess again. The account lockout still happens, and I'm proof of that fact. So if anyone has questions about this, let me know.

I havn't solved the error yet, but I believe I am getting close. As an idea, check the local services on the machine the user is logged onto, and check the SYSTEM event viewer also, to see if there is any troubles there. Also, those interested in exchange2003, it merges with your accounts in an Active directory, and your users are the mailboxes.
 
here's some info that may help. I narrowed it down to the local cached credentials not being udated properly after a password expiration...and once it happens it didn't matter if you reset the password or not. I suppose this can be caused by a number of things . NUMERO UNO check to make sure that there aren't any other machines that are using the credentials...One of my local people turned out to be this. My other issues were with users that are remote. They connect and authenticate via a variety of methods and network entry points. They are replicating thier home directories (redirecting my docs and syncronizing to make sure that thier data is being backed up). I had to physically connect to our LAN in order to force an "active" auth on a DC befor it would update. Although, on antoher I ended building a whole new profie locally. Either way it turned out to be local profile related. background stuff like mapped drives, printers, replication schedules, Outlook replication, even proxy network access should be checked out. you can get pretty deep here (since MS is so intertwined) but there are lockout tools available from microsoft. sorry I don't have the url....a workaround was to build a local UID that had the same username and password so ms password auth would work but with a different domain....those remote users then did not lock out constantly while using the local profile. I am not sure I am out of the woods yet but if I can think of something else I'll post it here...good luck
 
We are also having this problem, but when looking at the properties of the user in AD, we noticed that it had last been modified at 6:30 a.m. The user is not at work at that time, neither is the NA or myself. Have any of you had a similar experience with that, and also, did creating a new local profile take care of the problem?
 
yes i did notice the mod date at a wierd time. I believe it is related to when the Active Directory sync completed. This led me to believe that other DC(s) were replicating the locked-out state back but in the end....Yes creating the new profile and getting an "active" sync done did the trick...ie on the lan OR one done when the user can actually touch a DC (not using cached credentials)...If you are using VPN or firewalls make sure that the kerberos ports (TCP 88 and UDP 88) are enabled in and outbound in addition to the other standard NBT ports....AD uses this to auth. Are your users remote?
 
Ok so the last half of november my users were getting in fine no locks... Dec. 1st BAM but this time it's strickly No Domain Avail... no account locks! I still find if I let them sit at the logon screen for 5 minutes they can get in...
Dear Santa,
All I want for christmas is for my users to stop calling me with I CANT GET IN AGAIN! *followed by a long frustrated sigh* So please send over your best networking elf to fix this or I'm leaving stale cookies and rotten milk for you this year!
Thank you...
oh and my daughter wants a talking elmo...
 
As others have said - turning on auditing is critical to tracking down lockout problems. Make sure all your DC's have it turned on, wait for a lockout to happen and check the security logs on each DC (the lockout will show in the DC that authenticated it), from there you can trace the source machine of the lockouts. Once you know the source it's a lot easier to investigate it.

Terminal service disconnects is a classic one (in which case the source in the security logs will be the terminal server not the client machine) - educate your users to log off not disconnect.

The other problem we have with lockouts comes from Outlook - it seems to cache the password so if you change your password and don't reboot then Outlook still tries to use the old password and you get locked out, we tell our users to reboot straight after they change their passwords (although a lot still forget...).

Apart from that the only lockouts I've experienced have come from multiple logins, running services as a specific user and backup jobs with security info of a user in them.
 
very good advice Nick, I have seen this too. Another suspects are offline files doing backgrond syncs.
 
Ok so we opened up a support call with Microsoft...
Heres what we found...
We just mage the changes yesterday 12/11/03 but today is going ok so far...

Result:
The clients received errors such as "No domain server available," "The system could not log you on," and "The password you supplied is not correct." Some clients were logging into the domain and losing their mapped drives. Some accounts were being locked out. Sometimes if a client waited at the ctrl +alt +del screen for four minutes, they were able to logon.



Cause:
The PDC and one BDC were multihomed servers. The PDC was registering the Domain 1c record, or domain authenticator record, on an adapter that was not connected to the network, most likely because it was bound first to NetBIOS.

Resolution:
We removed the additional adapters on the PDC NT4Server and the BDC NT4Server, but did not reboot immediately. We stopped wins replication between the two wins servers. We removed the mappings to the 192.168.0.x entries on the two wins servers. We rebooted NT4server and verified that 1b, 1c, 20, 00, 03 were registered. We reconfigured wins replication. We rebooted NT$server. We reregistered Mailserver using the nbtstat -RR command. We confirmed that all local domain controllers were included in the 1c record for the domain. Just to be sure, we synchronized Mailserver with the PDC. We changed the account lockout policy from 5 bad attempts to 10 bad attempts to prevent false positives. Network clients were able to logon to your customer's domain once again. You agreed to reregister the remote BDC's into wins using the nbtstat -RR command, or by rebooting. Your customer's domain is working properly again.

Microsoft KB Article(s) or White Paper(s) referenced:
266729.KB.EN-US Netlogon Behavior in Windows NT 4.0
149664.KB.EN-US Verifying Domain Netlogon Synchronization
242053.KB.EN-US Event ID 4319: Duplicate Names on the Network
Q168471 New Synchronization Behavior with Windows NT Server Version 4.0
Q221210 Browsing with a Multihomed PDC
181774.KB.EN-US Multihomed Issues with Windows NT
Q119495 List of Names Registered with WINS Service
Q163409 NetBIOS Suffixes (16th Character of the NetBIOS Name)

These articles can be found at .

Hope this helps good luck
 
Wow good info

you all help me fix my problem and I didn't even have to post it.

Thanks for the help you all are great.


rphips
 
Just experienced the same problem that brettums had. I also had a user logged onto another computer that was never shut down and the user had sinced changed their password, causing lockout problems. Should have known to check posts for this problem. Three days later I check tek-tips and find the solution within 2 minutes. Thanks to all the posts for this problem.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top