Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

W2K Local accounts lock out

Posted on 2003-10-27
12
Medium Priority
?
279 Views
Last Modified: 2010-05-18
We're a small engineering company and have several people who travel infrequently. Everyone is assigned a desktop PC and I have a pool of Loaner laptops for people travelling. My problem as of late is that all local accounts (3-5 of them) on the laptop will become locked out at the same time. The only way for me to unlock them is to have them ship the laptop or wait till they return and hook the laptop back to the network and have one of the Domain Admins or Helpdesk Staff (both are members of the Adminstrators group) unlock all local accounts.
They are generally only using one of the accounts and in some instances do not even know the names of additional local accounts to attemp to log-in so as not to expect the "Account Lockout Policy", although it is set to 3 unsuccesful log-in attempts on the domain side.
If you need more information let me know.
0
Comment
Question by:dtm301
  • 4
  • 4
  • 2
12 Comments
 
LVL 1

Expert Comment

by:mrochac
ID: 9628849
Maybe provide youre user with Local admin rights, or power users, i've had some many problems with that in the pass that we've decided to give all our Coporate users admin. rights, and other power users. It got to the point where this like that would happen and there was nothing we could do remotely, most of our systems now also has DAMEWARE installed which give us a little bit of flexcibility when problems like that happen and the users are on the road.

Resus.
0
 

Author Comment

by:dtm301
ID: 9629814
All local user accounts that are locking out are local admin accounts as well.
In addition users that do have laptops permanently assigned to them do not have this problem but their domain accounts are added to the local admin group on the laptops.
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 9632404
Open GPEDIT.MSC and do the following:

Computer Config > Windows Settings > Security Settings > Account Policies > Account Lockout and change the ACCOUNT LOCKOUT THRESHOLD
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 15

Expert Comment

by:Rob Stone
ID: 9632410
Computer Config > Windows Settings > Security Settings > Account Policies > Account Lockout and change the ACCOUNT LOCKOUT THRESHOLD to 0.

Sorry, pressed enter by mistake and missed the vital part off!
0
 

Author Comment

by:dtm301
ID: 9632927
That only changes the Local Setting, The effective setting will still only be 3 Invalid logon attempts as that is what is set through the GPO. These laptops are members of the Domain so they get all GPO settings, hence local settings are ineffective.
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 9633113
Can you not create a new OU for laptops then and change the GPO for them?

If they are on the road (not connected to network) then the local policy should work as it won't find the network gpo.
0
 

Author Comment

by:dtm301
ID: 9633210
I guess we are missing the point.
First all local accounts are being locked out regardless of them being used or not, in some instances accounts that have never even been logged into have been locked out.
Second, I have made attempts to change the account lockout policy to no avail. My question is, what would be locking out all Local Accounts regardless of their group membership?
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 9633915
Sorry, not came across this before.

Maybe its worth trying a few things.

Try SFC /SCANNOW to check any Windows Protected Files haven't been overwritten.  Shot in the dark, but its worth a try on strange issues.

Upgrade the SP if not already on SP4

Run a AV scan if not already done so.

Setup Auditing to see if anything is trying to access the accounts.

Is there anything in the event viewer?
0
 
LVL 1

Accepted Solution

by:
mrochac earned 500 total points
ID: 9635695
Local groups only? Domain users as well? If everyone is getting locked out
it is usually a denial of service attack. Make sure that all machines are up
to date with critical updates and virus definitions and see the account
lockout whitepaper here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/BPACTLCK.asp

Hope this helps,

Resus.
0
 

Author Comment

by:dtm301
ID: 9635807
These are just local accounts setup on the laptops, I do not have any problems with domain accounts. The local accounts are not assigned to any one specific group (administrators, Power User, Users). The laptops at times are not even connected to a network or via an ISP yet still lockout.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Hello there! As a developer I have modified and refactored the unit tests which was written by fellow developers in the past. On the course, I have gone through various misconceptions and technical challenges when it comes to implementation. I would…
Integration Management Part 2
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question