Users getting locked out spontaneously

[maff]

Hi all,

Have a network of 300+ users using a mixture of NT4 Workstation and Mac OS 9 with NT Server 4 (1xPDC, 2xBDC, 1xStand alone).

User accounts are set to lock out after 3 failed attempts. Recently the amount of students getting locked out has increased alarmingly.

People have reported that they are being locked out whilst using the computer after logging on hours before.

A colleague of mine reckons he has resolved the problem on a few machines by removing the log on script (which purely maps drives and sets the home dirs).

Is this a network traffic problem or something else?

Any ideas...?

Matt ffolliott-Powell
maff_ffolliottpowell@yahoo.com

http://www.arts-inst-bournemouth.ac.uk

King of the wild frontier

 

[ruster]

Its not likely to be a network traffic problem. And its certainly not the login script if all it contains is a series of "net use" commands. First, Do you have any domain account policies in place (i.e. minimum password length, password expiration times, etc.)? When you say the account is locked out, do you mean that you are unable to access any of the network mappings that were created during logon? What happens if you try to re-map a drive without logging off? Are you logging failed login attempts to confirm if that is the reason why the accounts are being locked out?

Let me know.

Ruster.

 

[aditrusj]

I agree with ruster about the problem not being attributed to network traffic nor should it have anything to do with login scripts. Have you asked those user/s if and when they are being locked of the system, that it is not because of the network but rather of them forgetting their passwords? It might be more of a user problem rather than a network problem....

 

[maff]

I agree I can't see the logic in logon scripts effecting this.
To answer Rusters queries about account policies, yes they are set to lock out after three incorrect logon attempts. Also passwords are set to expire every 4 weeks. Minimum password length is four characters.

Yes I am logging failed logon attempts and they all come up with:
Logon Failure:
Reason: Account locked out
User Name: ******
Domain: STAFF_DOMAIN
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\FTVTECH

We have checked with users, but they insist that they have used thier correct passwords (do I need a big pinch of salt here?).


Matt ffolliott-Powell
maff_ffolliottpowell@yahoo.com

http://www.arts-inst-bournemouth.ac.uk

King of the wild frontier

 

[dlnalaeh]

I have seen this when a user is logged into another machine, and they change their password. The older machine is trying to validate items like mapped login drives with the old password and locks the account.
Search for event id 644 on the pdc of the login domain. It will tell you which machine locked the account.

 

[starwars]

Hi

I am hoping you can help me solve the same problem. I have 2 users who are continually being locked out during the day. It prompts them for the user name and password after the have logged on. It says event id 644 on the pdc and it says the machine name they are locked out on as being our outlook web access server. I unlocked them on that but it still keeps locking them out. Can anyone help - of course one of the people it is happening to is our it director so all help appreciated!

 

[Jase0063]

I'm also having this same problem. I have a user on our domain with Win2k Pro. His account seems to lock out every 15 minutes. Set his profile from roaming to local, deleted/recreated his user account. He's not logged in anywhere else. We changed his password. Any Ideas??

Thanks
Jason

 

[rdroske]

It coould be a legitimate lockout where a hacker is attempting to guess the passwords.

I would set the server to Audit failed log ons and check the security logs.

 

[Jase0063]

It seems to happen every 15 minutes on the dot. Audit is enabled but I still can't find anything that tells me the answer in the logs. Is there a specific event ID I should be looking for. I've checked 644, 539, 538,
The event says that the call was made from his computer name....

 

[starwars]

Hi

I got this problem resolved i got the user to log on at another pc and it didnt happen. I thought that it was due to changing his password while still logged on and a local password held somewhere. He had xp and it didnt lock me out if i logged on. I think we changed the local and domain password and it stopped locking out from then on.

Hope this helps

 

[vanillawafer]

Hello,

The exact same thing is happening to us. One of the people that this is happening to is me (ADMINISTRATOR) and a few other people.

We are in a Mix of NT and Windows 2000 environment, we still have some 98 machines though (250 users).

Example of what's going on: I am loged in to my win2k machine. I log off or lock my system. When I return back to log back in, I have been locked out. This just started today. I have been getting quite a bit of calls from our users stating the same thing.

Does anyone know what may be the problem?

 

[bakbacon]

Hello.
This has been happening to us for about 1 month. Nothing shows on the firewall logs. I have also downloaded and tested some intrusion detection software and this caught nothing. All I see is the names of matching domain names and computer names (not mine) in the event logs on the mail server and corresponding events on the PDC. This has been driving me nuts. As far as I can see there is no access yet - just failed attempts. I have also checked the registry of the mail server for known changes - nothing. I have checked for foreign installations - nothing. I have checked for telnet access - nothing. I have also shutdown unused services and protocols (including POP3).

If anyone has any suggestions I would greatly appreciate it as well.

 

[vanillawafer]

Here it goes again. This is driving me nuts, any clue yet?

This morning, we have had at least 6 lock-outs, and by the time I unlock the system and let the users know that they are unloclked, they are already locked out again.

Are there any new viruses that may have these symptoms?

 

[ciclope1]

Hello,

The exact same thing is happening to us. The account´s are locked out, with all of users logued out. Always with the same users. 300 users total, 150 aprox, locked out.
HELP ME!!!!!!

 

[bakbacon]

We have been getting it again. Typically this has been happening "after hours" and on Weekends - but lately it has been occuring during business hours. Here is an example of the security log...

AUTHORITY\SYSTEM MAIL Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: RDDMVEUOIMUTVO1
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\RDDMVEUOIMUTVO1

The alarming part is the Domain name and the workstation name. None of these have anything to do with our network - and they change after the security policy is enforced and they are locked out. I have 9 servers in place and this only appears on the mail server (which is a BDC) and the PDC. I am at a loss. I have checked some of the suggestions above but have found nothing. Any other suggestions at this point would be appreciated. All of the events log the KsecDD Logon Process.

 

[cmegha2001]

Are you having the lockout problem only with the 98 clients?

That's what I had.... I had to disable password caching on all 98 clients...

here's the registry hack...

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network

Add new DWORD
DisablePwdCaching

set to 1

Delete all *.pwl files from client
restart

Let me know if this helps.

Chirag

 

[vanillawafer]

Not just 98, I myself am using windows 2000. Can I use this same method on 2000?

 

[bakbacon]

I am running all Win2K clients with the latest updates. I am pretty sure at this point that this is coming from the exchange server - but not sure how it is being done.

 

[vanillawafer]

Has anyone else had any luck on solving this problem? If so will you please share the knowledge? I am still having the same problem with the same 6 users, and it's driving me nuts.

 

[vanillawafer]

Case Closed.....

We had a hacker running a backdoor program on our exchange server. Our AV software didn't pick it up, but I used a free one from Trend's hompage.

If you're still having the problem goto:

http://www.trendmicro.com/en/home/us/enterprise.htm

Right under the Enterprise tab there is a Free Online Scan.

Do the scan on every server you have.

Good luck....

It's real easy to use.....