Solved

User Accounts Getting Locked Out WAN

Posted on 2004-04-22
7
464 Views
Last Modified: 2013-12-04
Here is the topology of our network.  We have one Windows 2000 server with DNS running.  We have local LAN users and we have two groups of users that are on two seperate T1 WAN Connections. The problem we have is that the user accounts that are on one of the WAN connections get randomly disabled or locked out.  We think this might be happening due to a maximum password tries.  None of the LAN users or the other group of WAN users are having this problem.  The router logs on both the server end and the WAN end look clean with no security breaches. The logs in both the routers do not show any connection loss or dropped packets. Also the server logs are clean with no application, system, or security entries.   We are going to turn on auditing in the local sec policy to see if we can gain any insight as to what is happeneing, but any input would be greatly appreciated. Thanks, Tim.
0
Comment
Question by:bigdessert
  • 2
  • 2
7 Comments
 
LVL 7

Expert Comment

by:msice
ID: 10893470
I have had this issue with Terminal Services / RDP. If you have users logging in via Citrix for instance and have a password change policy that forces the users to change their passwords, when they change their password if ther is a existing rdp connection that has been in existence it will cause this due the reconnection of the rdp when a user logs in again with the new password. You can set the rdp connection to auto logoff after a certain disconnect time. Hope this makes sense - this fixed my issue with mysterious lockouts hope it helps.
0
 

Author Comment

by:bigdessert
ID: 10894255
There is no terminal or citrix server involved. This is just when doing standard windows network logons with a domain. we have also talked to the users at this location and none of them have been misspelling words or anything.  so we kind of think it has something to do with the connection, but have no proof.  our logs are all clean so we know its not a hacker. let me know what you guys think. thanks, Tim.
0
 
LVL 7

Expert Comment

by:msice
ID: 10894332
Logs are all clean could mean it's a hacker. Check for a Trojans ext. are all of the accounts getting locked out or just random ones and how often?
0
 

Author Comment

by:bigdessert
ID: 10895387
well we know there are no trojans etc because we have very good updated virus protection.  its not all the accounts. one week it was a couple of them and then the next week a couple of different ones got locked out.  so its kind of random.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 125 total points
ID: 10896160
Well connection losses will not do this. I'd look at the network layer last actually.You say the logs are clean... no password failed attempts... are you logging success/failed log-ons? If you type "Secpol.msc" on the Run line, and goto Local policies, then the audit settings, you'll see you can set sucess/failure for various variables... set these on the work stations as well as the DC or server, if not set already. If it is set already... and you don't see any failures in the logs, it may not be the "password attemps" setting. The password attempts can be set with Usrmgr in the 2000 resource kit, and complexity requirements can be set using the passfilt.dll.
http://is-it-true.org/nt/atips/atips93.shtml
http://windows.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/meta_bestpractices.htm

However if it's not the failed logon's being exceeded... I'm not sure what it would be.. other than a hacker, or a program trying to use hardcoded username and pass to do something. you could set up Etherreal on the server in question and see if you log any unautorized IPs or traffic...
GL!
-rich
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now