chee68
asked on
User Logon Denied in Win2k
Hi,
I have a server install with win2k advance server and serves as Domain Controller.The workstattion that connected to this server is Win98 se. Some of the workstation will be disconnected from the server after you login for some times. After that, the user is not be able to log in. The error messages is "The domain password you supplied is not correct or access to your logon server has been denied". If you swtich off and on your workstation again, then the user can login successfully. If you check the scutiry log in the event log, the error messages is "Unknown user name or bad password". This error happen quite often. At least 3 workstation is facing this kind of problem. What is the solution? Is it related to the any security setting?
thanks
chee
I have a server install with win2k advance server and serves as Domain Controller.The workstattion that connected to this server is Win98 se. Some of the workstation will be disconnected from the server after you login for some times. After that, the user is not be able to log in. The error messages is "The domain password you supplied is not correct or access to your logon server has been denied". If you swtich off and on your workstation again, then the user can login successfully. If you check the scutiry log in the event log, the error messages is "Unknown user name or bad password". This error happen quite often. At least 3 workstation is facing this kind of problem. What is the solution? Is it related to the any security setting?
thanks
chee
-Do you have RRas installed on the server ? Modem or Vpn ?
-I think you'll find that it happens only after someone ras's in...Correct ?
-Answer this & if you can consistantly make this happen after rasing in..I'll tell you how to fix it.
-I think you'll find that it happens only after someone ras's in...Correct ?
-Answer this & if you can consistantly make this happen after rasing in..I'll tell you how to fix it.
ASKER
AvonWyss,
In my Domain Controller Security Policy, Account Policies, Account Lockout policy, the setting is as follow;
1.Account Lockout Duration:15 minutes
2.Account Lockout threshold:5 invalid logon
3.Reset Account Lockout Counter after: 15 minutes.
Is the above setting affected the login? What does those setting does?
Housenet,
I only have a internal modem installed in my server. This modem is not connected(not using at this point of time).
thanks
chee
In my Domain Controller Security Policy, Account Policies, Account Lockout policy, the setting is as follow;
1.Account Lockout Duration:15 minutes
2.Account Lockout threshold:5 invalid logon
3.Reset Account Lockout Counter after: 15 minutes.
Is the above setting affected the login? What does those setting does?
Housenet,
I only have a internal modem installed in my server. This modem is not connected(not using at this point of time).
thanks
chee
-I have seen this happen once before. In my scenario Rras was involved in name hijacking. Someone would Ras in and win9x computer could not login...Exact same way you describe it.....
-Make sure Wins is installed. Set your DNS server to accept only secure dynamic updates. Does your servr have more than 1 nic or IP address ? Test a few stations with static IP assigned.. Specify wins & Dns suffix . enter a dns host name on the station & list the DC Dns server IP only.(full 2000 domain name space in the suffix)...
http://support.microsoft.com/support/kb/articles/Q255/1/34.ASP?LN=EN-US&SD=gn&FR=0&qry=Unknown%20user%20name%20or%20bad%20password&rnk=3&src=DHCS_MSPSS_gn_SRCH&SPR=WIN2000
-Make sure Wins is installed. Set your DNS server to accept only secure dynamic updates. Does your servr have more than 1 nic or IP address ? Test a few stations with static IP assigned.. Specify wins & Dns suffix . enter a dns host name on the station & list the DC Dns server IP only.(full 2000 domain name space in the suffix)...
http://support.microsoft.com/support/kb/articles/Q255/1/34.ASP?LN=EN-US&SD=gn&FR=0&qry=Unknown%20user%20name%20or%20bad%20password&rnk=3&src=DHCS_MSPSS_gn_SRCH&SPR=WIN2000
chee68, these are the settings I meant. If a bad password is supplied five times (threshold), the account will be locked for 15 minutes (duration). The counter for bad passwords is reset after a 15 minutes duration where no bad password has been entered for this user (reset counter).
This setting prevents password hacking since after 5 bad passwords, the accound will not logon even if the correct password is supplied.
Try to *temporarily* set the threshold higher or to disable the lockout to find out whether it's this or not. (Leaving this setting loosend up too much or even disabled will also allow users to try and maybe find out passwords of others!)
This setting prevents password hacking since after 5 bad passwords, the accound will not logon even if the correct password is supplied.
Try to *temporarily* set the threshold higher or to disable the lockout to find out whether it's this or not. (Leaving this setting loosend up too much or even disabled will also allow users to try and maybe find out passwords of others!)
chee68: Did you ever get this fixed?
I have a similar problem only I get the error on ALL my clients, ALL the time. Sincle domain controller (advanced server) just like you. Can't figure it out.
How did you trouble shoot this?
Dave
I have a similar problem only I get the error on ALL my clients, ALL the time. Sincle domain controller (advanced server) just like you. Can't figure it out.
How did you trouble shoot this?
Dave
ASKER
i still could not resolve the problem which i faced until i re-assign the workstation with IP address which is in different segment. I still not sure wheter this is the solution.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can find this in the Administrative Tools, Domain Policy, Account policy. (The actual item names may be different, I have an international version so I don't know the original names, but you should be able to find it.)