Solved

W2K Local accounts lock out

Posted on 2003-10-27
12
269 Views
Last Modified: 2010-05-18
We're a small engineering company and have several people who travel infrequently. Everyone is assigned a desktop PC and I have a pool of Loaner laptops for people travelling. My problem as of late is that all local accounts (3-5 of them) on the laptop will become locked out at the same time. The only way for me to unlock them is to have them ship the laptop or wait till they return and hook the laptop back to the network and have one of the Domain Admins or Helpdesk Staff (both are members of the Adminstrators group) unlock all local accounts.
They are generally only using one of the accounts and in some instances do not even know the names of additional local accounts to attemp to log-in so as not to expect the "Account Lockout Policy", although it is set to 3 unsuccesful log-in attempts on the domain side.
If you need more information let me know.
0
Comment
Question by:dtm301
  • 4
  • 4
  • 2
12 Comments
 
LVL 1

Expert Comment

by:mrochac
ID: 9628849
Maybe provide youre user with Local admin rights, or power users, i've had some many problems with that in the pass that we've decided to give all our Coporate users admin. rights, and other power users. It got to the point where this like that would happen and there was nothing we could do remotely, most of our systems now also has DAMEWARE installed which give us a little bit of flexcibility when problems like that happen and the users are on the road.

Resus.
0
 

Author Comment

by:dtm301
ID: 9629814
All local user accounts that are locking out are local admin accounts as well.
In addition users that do have laptops permanently assigned to them do not have this problem but their domain accounts are added to the local admin group on the laptops.
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 9632404
Open GPEDIT.MSC and do the following:

Computer Config > Windows Settings > Security Settings > Account Policies > Account Lockout and change the ACCOUNT LOCKOUT THRESHOLD
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 9632410
Computer Config > Windows Settings > Security Settings > Account Policies > Account Lockout and change the ACCOUNT LOCKOUT THRESHOLD to 0.

Sorry, pressed enter by mistake and missed the vital part off!
0
 

Author Comment

by:dtm301
ID: 9632927
That only changes the Local Setting, The effective setting will still only be 3 Invalid logon attempts as that is what is set through the GPO. These laptops are members of the Domain so they get all GPO settings, hence local settings are ineffective.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 15

Expert Comment

by:Rob Stone
ID: 9633113
Can you not create a new OU for laptops then and change the GPO for them?

If they are on the road (not connected to network) then the local policy should work as it won't find the network gpo.
0
 

Author Comment

by:dtm301
ID: 9633210
I guess we are missing the point.
First all local accounts are being locked out regardless of them being used or not, in some instances accounts that have never even been logged into have been locked out.
Second, I have made attempts to change the account lockout policy to no avail. My question is, what would be locking out all Local Accounts regardless of their group membership?
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 9633915
Sorry, not came across this before.

Maybe its worth trying a few things.

Try SFC /SCANNOW to check any Windows Protected Files haven't been overwritten.  Shot in the dark, but its worth a try on strange issues.

Upgrade the SP if not already on SP4

Run a AV scan if not already done so.

Setup Auditing to see if anything is trying to access the accounts.

Is there anything in the event viewer?
0
 
LVL 1

Accepted Solution

by:
mrochac earned 250 total points
ID: 9635695
Local groups only? Domain users as well? If everyone is getting locked out
it is usually a denial of service attack. Make sure that all machines are up
to date with critical updates and virus definitions and see the account
lockout whitepaper here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/BPACTLCK.asp

Hope this helps,

Resus.
0
 

Author Comment

by:dtm301
ID: 9635807
These are just local accounts setup on the laptops, I do not have any problems with domain accounts. The local accounts are not assigned to any one specific group (administrators, Power User, Users). The laptops at times are not even connected to a network or via an ISP yet still lockout.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Note: This is the second blog post in a series on email clearinghouses (https://www.xmatters.com/alert-management/blog-email-has-failed-us?utm_campaign=70138000000ydLoAAI&utm_source=exex&utm_medium=article&utm_content=blog-post).   Every month t…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now