Solved

W2K Local accounts lock out

Posted on 2003-10-27
12
271 Views
Last Modified: 2010-05-18
We're a small engineering company and have several people who travel infrequently. Everyone is assigned a desktop PC and I have a pool of Loaner laptops for people travelling. My problem as of late is that all local accounts (3-5 of them) on the laptop will become locked out at the same time. The only way for me to unlock them is to have them ship the laptop or wait till they return and hook the laptop back to the network and have one of the Domain Admins or Helpdesk Staff (both are members of the Adminstrators group) unlock all local accounts.
They are generally only using one of the accounts and in some instances do not even know the names of additional local accounts to attemp to log-in so as not to expect the "Account Lockout Policy", although it is set to 3 unsuccesful log-in attempts on the domain side.
If you need more information let me know.
0
Comment
Question by:dtm301
  • 4
  • 4
  • 2
12 Comments
 
LVL 1

Expert Comment

by:mrochac
ID: 9628849
Maybe provide youre user with Local admin rights, or power users, i've had some many problems with that in the pass that we've decided to give all our Coporate users admin. rights, and other power users. It got to the point where this like that would happen and there was nothing we could do remotely, most of our systems now also has DAMEWARE installed which give us a little bit of flexcibility when problems like that happen and the users are on the road.

Resus.
0
 

Author Comment

by:dtm301
ID: 9629814
All local user accounts that are locking out are local admin accounts as well.
In addition users that do have laptops permanently assigned to them do not have this problem but their domain accounts are added to the local admin group on the laptops.
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 9632404
Open GPEDIT.MSC and do the following:

Computer Config > Windows Settings > Security Settings > Account Policies > Account Lockout and change the ACCOUNT LOCKOUT THRESHOLD
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 15

Expert Comment

by:Rob Stone
ID: 9632410
Computer Config > Windows Settings > Security Settings > Account Policies > Account Lockout and change the ACCOUNT LOCKOUT THRESHOLD to 0.

Sorry, pressed enter by mistake and missed the vital part off!
0
 

Author Comment

by:dtm301
ID: 9632927
That only changes the Local Setting, The effective setting will still only be 3 Invalid logon attempts as that is what is set through the GPO. These laptops are members of the Domain so they get all GPO settings, hence local settings are ineffective.
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 9633113
Can you not create a new OU for laptops then and change the GPO for them?

If they are on the road (not connected to network) then the local policy should work as it won't find the network gpo.
0
 

Author Comment

by:dtm301
ID: 9633210
I guess we are missing the point.
First all local accounts are being locked out regardless of them being used or not, in some instances accounts that have never even been logged into have been locked out.
Second, I have made attempts to change the account lockout policy to no avail. My question is, what would be locking out all Local Accounts regardless of their group membership?
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 9633915
Sorry, not came across this before.

Maybe its worth trying a few things.

Try SFC /SCANNOW to check any Windows Protected Files haven't been overwritten.  Shot in the dark, but its worth a try on strange issues.

Upgrade the SP if not already on SP4

Run a AV scan if not already done so.

Setup Auditing to see if anything is trying to access the accounts.

Is there anything in the event viewer?
0
 
LVL 1

Accepted Solution

by:
mrochac earned 250 total points
ID: 9635695
Local groups only? Domain users as well? If everyone is getting locked out
it is usually a denial of service attack. Make sure that all machines are up
to date with critical updates and virus definitions and see the account
lockout whitepaper here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/BPACTLCK.asp

Hope this helps,

Resus.
0
 

Author Comment

by:dtm301
ID: 9635807
These are just local accounts setup on the laptops, I do not have any problems with domain accounts. The local accounts are not assigned to any one specific group (administrators, Power User, Users). The laptops at times are not even connected to a network or via an ISP yet still lockout.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question