EvilSean
asked on
NT User Locked out
I have one user who more often than not has her domain account locked out every morning. The only reason for this particular account she uses is to gain access to our Exchange server, so without, she cannot logon to her email. I cannot see any obvious reasons why she is locked out ie. she is not entering incorrect passwords, and there is no time restriction on her login. We destroyed and re-created her profile, and everything worked well for a while, but the problem has cropped up again. I considered the option that perhaps she logged on to another machine with her profile stored locally, and updated her network profile with the defective one when she logged out, but she has never logged into any other machine other than her own. Anyone have any suggestions as to what could be going on?
Do you have auditing turned on for authentication? I would turn it on for success and failure. Also check the system tuime and make sure its within 5 minutes if the DC she is hitting. Kerberous will not authenticate users if the time is off by more than 5 min (default)
Not 100% sure of your operating environment, but here is a link that resembles your problem in many ways. HTH! :)
<a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;278299" target="new">http://support.microsoft.com/default.aspx?scid=kb;EN-US;278299</a>
-Derek
<a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;278299" target="new">http://support.microsoft.com/default.aspx?scid=kb;EN-US;278299</a>
-Derek
*sigh* I should have realized the post would have mangled the html. Ah well.. live and learn. Links still work... Sorry it's ugly :)
Looks like HDD is full. Make sure she has available space of over 300mbs to download her roaming profile.
does she log in at more than one location?
consider the following hypothetical situation
"Mary" logs in at machine A with Password A.
she logs into machine B with Password A.
All is good.
Mary changes password from Machine B to Password B.
Machine B knows about the change, and is authenticating correctly.
Machine A does not, and every time it tries to access the network, creates a password violation, because it is still using Password A.
Machine B and machine A both try to access the network, Machine A accumulating Password Violations, and Machine B resetting the Password count.
Eventually Machine A manages to increase the violation account to a point where it locks the account.
EvilSean then Resets her account.
All seems good, but after time, again Machine A wins the "race" and locks the account again.
This drives EvilSean crazy.
EvilSean goes to Experts-exchange
EvilSean learns to ask Mary if she logs in at more than one location.
EvilSean teaches Mary to only change her password when logged in at *only one* machine.
This fixes the problem, and Mary and EvilSean do the dance of joy.
HTH
-Steven Yarnot
http://yarnosg.home.insightbb.com
consider the following hypothetical situation
"Mary" logs in at machine A with Password A.
she logs into machine B with Password A.
All is good.
Mary changes password from Machine B to Password B.
Machine B knows about the change, and is authenticating correctly.
Machine A does not, and every time it tries to access the network, creates a password violation, because it is still using Password A.
Machine B and machine A both try to access the network, Machine A accumulating Password Violations, and Machine B resetting the Password count.
Eventually Machine A manages to increase the violation account to a point where it locks the account.
EvilSean then Resets her account.
All seems good, but after time, again Machine A wins the "race" and locks the account again.
This drives EvilSean crazy.
EvilSean goes to Experts-exchange
EvilSean learns to ask Mary if she logs in at more than one location.
EvilSean teaches Mary to only change her password when logged in at *only one* machine.
This fixes the problem, and Mary and EvilSean do the dance of joy.
HTH
-Steven Yarnot
http://yarnosg.home.insightbb.com
Users frequently lie (or are just forgetful). Is she SURE that she is not logged in anywhere else?
ASKER
beerbar, not an issue, system time corresponds
McBud, sorry, I should have clarified, this is an NT4 environment
Kenny, plenty of space to download profile
Yarno, thought of that already, and I know for a fact that she is only logging onto her own machine.
Thanks for all the tips guys and girls.
McBud, sorry, I should have clarified, this is an NT4 environment
Kenny, plenty of space to download profile
Yarno, thought of that already, and I know for a fact that she is only logging onto her own machine.
Thanks for all the tips guys and girls.
Does this seem to only happen around password changing time? Maybe for a couple of days afterwards?
We had a guy in our network that had similar problems. His name was Gerald, and he was Owner, Creator and Proliferator of the Gerald-Factor. When ever we went though password changes, he would somehow manage to get his account locked out at randomn intervals durring the day.... Sometimes, this was due (we're almost positive) to him failing to log out of a Terminal Session, but, sometimes it highly seemed probably that if he tried to use Outlook immediately after changing his passwords, that it would not mesh up with something Exchange expected. Then his account would get locked out... Usually, we were able to resolve his problem by the ever so draconian method of logging him out completely, loggin him in, changing his pass, logging him out and then finally logging him in.... It could just be that he was cursed (I have no doubt that some digital gods were waging war upon him) and, if none of that seems correct, I suggest you try and see if someone else on your network isn't trying to break her account. Suspect the coders.. they're always up to no good :-P
We had a guy in our network that had similar problems. His name was Gerald, and he was Owner, Creator and Proliferator of the Gerald-Factor. When ever we went though password changes, he would somehow manage to get his account locked out at randomn intervals durring the day.... Sometimes, this was due (we're almost positive) to him failing to log out of a Terminal Session, but, sometimes it highly seemed probably that if he tried to use Outlook immediately after changing his passwords, that it would not mesh up with something Exchange expected. Then his account would get locked out... Usually, we were able to resolve his problem by the ever so draconian method of logging him out completely, loggin him in, changing his pass, logging him out and then finally logging him in.... It could just be that he was cursed (I have no doubt that some digital gods were waging war upon him) and, if none of that seems correct, I suggest you try and see if someone else on your network isn't trying to break her account. Suspect the coders.. they're always up to no good :-P
I thought this was Expert-Exchange... Anyhow, she is being locked out because she changed her password lately and she is logged in more than one place.. logged in somewhere still with her old password....
Tom
Tom
Normally, one of the reason for this cause is the mapping that she acquires during the duration she is working on the pc. If she maps a drive to a server and tells it to reconnect everytime she logs in and down the road changes her password, this will cause it to try to authenticate again and again. You may want to check that she does not have any mappings that she shouldn't have. If your policy is 3 strikes and your out, maybe there are three different drive mappings to the same server.
Hope this helps.
Hope this helps.
ASKER
You see, the problem is is that she doesn't actually log the machine in with this account. She uses this account as a 'Logon As:' type affair to identify herself to the exchange server. Her actual user account is a completly different account entirley.
So in reality this is really an Exchange account lock out and not a 2000 Domain lock out?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is to:
Accept xoprac's Comments as answer
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Paul
EE Cleanup Volunteer
I will leave a recommendation in the Cleanup topic area that this question is to:
Accept xoprac's Comments as answer
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Paul
EE Cleanup Volunteer