NT User Locked out

Posted on 2003-03-21
Medium Priority
Last Modified: 2012-06-27
I have one user who more often than not has her domain account locked out every morning.  The only reason for this particular account she uses is to gain access to our Exchange server, so without, she cannot logon to her email.  I cannot see any obvious reasons why she is locked out ie. she is not entering incorrect passwords, and there is no time restriction on her login.  We destroyed and re-created her profile, and everything worked well for a while, but the problem has cropped up again.  I considered the option that perhaps she logged on to another machine with her profile stored locally, and updated her network profile with the defective one when she logged out, but she has never logged into any other machine other than her own.  Anyone have any suggestions as to what could be going on?

Question by:EvilSean
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +6

Expert Comment

ID: 8181763
Do you have auditing turned on for authentication?  I would turn it on for success and failure. Also check the system tuime and make sure its within 5 minutes if the DC she is hitting. Kerberous will not authenticate users if the time is off by more than 5 min (default)

Expert Comment

ID: 8181841
Not 100% sure of your operating environment, but here is a link that resembles your problem in many ways.  HTH! :)

<a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;278299" target="new">http://support.microsoft.com/default.aspx?scid=kb;EN-US;278299</a>


Expert Comment

ID: 8181858
*sigh*  I should have realized the post would have mangled the html.  Ah well.. live and learn.  Links still work... Sorry it's ugly :)

7 Extremely Useful Linux Commands for Beginners

Just getting started with Linux? Here's a quick start guide that has 7 commands that we believe will come in handy.


Expert Comment

ID: 8181914
Looks like HDD is full. Make sure she has available space of over 300mbs to download her roaming profile.

Expert Comment

ID: 8181922
does she log in at more than one location?
consider the following hypothetical situation

"Mary" logs in at machine A with Password A.
she logs into machine B with Password A.  
All is good.
Mary changes password from Machine B to Password B.
Machine B knows about the change, and is authenticating correctly.
Machine A does not, and every time it tries to access the network, creates a password violation, because it is still using Password A.
Machine B and machine A both try to access the network, Machine A accumulating Password Violations, and Machine B resetting the Password count.
Eventually Machine A manages to increase the violation account to a point where it locks the account.
EvilSean then Resets her account.
All seems good, but after time, again Machine A wins the "race" and locks the account again.
This drives EvilSean crazy.
EvilSean goes to Experts-exchange
EvilSean learns to ask Mary if she logs in at more than one location.
EvilSean teaches Mary to only change her password when logged in at *only one* machine.
This fixes the problem, and Mary and EvilSean do the dance of joy.

-Steven Yarnot

Expert Comment

ID: 8181963
Users frequently lie (or are just forgetful).  Is she SURE that she is not logged in anywhere else?

Author Comment

ID: 8182825
beerbar, not an issue, system time corresponds

McBud, sorry, I should have clarified, this is an NT4 environment

Kenny, plenty of space to download profile

Yarno, thought of that already, and I know for a fact that she is only logging onto her own machine.

Thanks for all the tips guys and girls.

Expert Comment

ID: 8185671
Does this seem to only happen around password changing time? Maybe for a couple of days afterwards?
We had a guy in our network that had similar problems. His name was Gerald, and he was Owner, Creator and Proliferator of the Gerald-Factor. When ever we went though password changes, he would somehow manage to get his account locked out at randomn intervals durring the day.... Sometimes, this was due (we're almost positive) to him failing to log out of a Terminal Session, but, sometimes it highly seemed probably that if he tried to use Outlook immediately after changing his passwords, that it would not mesh up with something Exchange expected. Then his account would get locked out... Usually, we were able to resolve his problem by the ever so draconian method of logging him out completely, loggin him in, changing his pass, logging him out and then finally logging him in.... It could just be that he was cursed (I have no doubt that some digital gods were waging war upon him) and, if none of that seems correct, I suggest you try and see if someone else on your network isn't trying to break her account. Suspect the coders.. they're always up to no good :-P

Expert Comment

ID: 8186309
I thought this was Expert-Exchange... Anyhow, she is being locked out because she changed her password lately and she is logged in more than one place.. logged in somewhere still with her old password....



Expert Comment

ID: 8200932
Normally, one of the reason for this cause is the mapping that she acquires during the duration she is working on the pc. If she maps a drive to a server and tells it to reconnect everytime she logs in and down the road changes her password, this will cause it to try to authenticate again and again. You may want to check that she does not have any mappings that she shouldn't have. If your policy is 3 strikes and your out, maybe there are three different drive mappings to the same server.

Hope this helps.

Author Comment

ID: 8201389
You see, the problem is is that she doesn't actually log the machine in with this account.  She uses this account as a 'Logon As:' type affair to identify herself to the exchange server.  Her actual user account is a completly different account entirley.

Expert Comment

ID: 8201447
So in reality this is really an Exchange account lock out and not a 2000 Domain lock out?

Accepted Solution

xoprac earned 200 total points
ID: 8201471
Here is a excerpt from Technet:

Your messaging system faces a slightly more insidious danger than outright attacks: people who read other people's messages. By and large, this is a personnel problem rather than a technical problem, and it isn't always malicious. (Messages that end up bouncing to the postmaster mailbox are a rich source of amusement for administrators at many sites.) However, you can apply technology to limit the chances of this type of snooping.

You often have legitimate reasons to grant a user access to another user's mailbox. For example, when you use Outlook for calendaring, you open other users' calendars. This action causes the system to generate event ID 1016 in the Application log. Any tool that opens a user's mailbox (e.g., Messaging API—MAPI—virus scanners, brick-level backup tools) will generate the same event. Your company's legal or human resources (HR) department might also have reason to monitor specific mailboxes.

In Exchange Server 5.5, the site service account permits unfettered access to all mailboxes on a server. Whoever has access to the site service account name and password can log on and read the contents of any mailbox—without leaving any sign that he or she did so. You probably don't want to permit this broad behavior on your network. Because the site service account is so powerful, choose a strong password and limit access to the account. I also recommend that you monitor the Security log to ensure that the account is being used properly.

Although you could use the account to provide access to a specific mailbox's contents, doing so increases the likelihood that the account will be compromised. A better solution is to grant someone else permissions to the mailbox in question (bearing in mind that this action might cause the alternate recipient to generate return receipts, potentially telling the world that someone other than the recipient is reading the mail). Or you can use message journaling to copy all mail traffic for that mailbox to another mailbox or public folder, from which a designated user can then inspect the messages. (I'll discuss journaling in the next column.)

Exchange 2000 tightens the site service account loophole considerably; the site service account no longer exists, and the Administrator account and the Domain Admins and Enterprise Admins groups are explicitly denied access to individual mailboxes. (See the Microsoft article "XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000" at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q262054&sd=tech for instructions about how to give snooping power to a designated account.) You can also use message journaling in Exchange 2000.

Hope this helps...
LVL 12

Expert Comment

ID: 9260277
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is to:

Accept xoprac's Comments as answer

Please leave any comments here within the next seven days.


EE Cleanup Volunteer

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Often we come across situations wherein our batch files would be needing to reboot Windows for a variety of reasons. A few of them would be like: (1) Setup files have been updated whose changes can take effect only after a reboot …
Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question