?
Solved

User Accounts Getting Locked Out WAN

Posted on 2004-04-22
7
Medium Priority
?
470 Views
Last Modified: 2013-12-04
Here is the topology of our network.  We have one Windows 2000 server with DNS running.  We have local LAN users and we have two groups of users that are on two seperate T1 WAN Connections. The problem we have is that the user accounts that are on one of the WAN connections get randomly disabled or locked out.  We think this might be happening due to a maximum password tries.  None of the LAN users or the other group of WAN users are having this problem.  The router logs on both the server end and the WAN end look clean with no security breaches. The logs in both the routers do not show any connection loss or dropped packets. Also the server logs are clean with no application, system, or security entries.   We are going to turn on auditing in the local sec policy to see if we can gain any insight as to what is happeneing, but any input would be greatly appreciated. Thanks, Tim.
0
Comment
Question by:bigdessert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
7 Comments
 
LVL 7

Expert Comment

by:msice
ID: 10893470
I have had this issue with Terminal Services / RDP. If you have users logging in via Citrix for instance and have a password change policy that forces the users to change their passwords, when they change their password if ther is a existing rdp connection that has been in existence it will cause this due the reconnection of the rdp when a user logs in again with the new password. You can set the rdp connection to auto logoff after a certain disconnect time. Hope this makes sense - this fixed my issue with mysterious lockouts hope it helps.
0
 

Author Comment

by:bigdessert
ID: 10894255
There is no terminal or citrix server involved. This is just when doing standard windows network logons with a domain. we have also talked to the users at this location and none of them have been misspelling words or anything.  so we kind of think it has something to do with the connection, but have no proof.  our logs are all clean so we know its not a hacker. let me know what you guys think. thanks, Tim.
0
 
LVL 7

Expert Comment

by:msice
ID: 10894332
Logs are all clean could mean it's a hacker. Check for a Trojans ext. are all of the accounts getting locked out or just random ones and how often?
0
 

Author Comment

by:bigdessert
ID: 10895387
well we know there are no trojans etc because we have very good updated virus protection.  its not all the accounts. one week it was a couple of them and then the next week a couple of different ones got locked out.  so its kind of random.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 10896160
Well connection losses will not do this. I'd look at the network layer last actually.You say the logs are clean... no password failed attempts... are you logging success/failed log-ons? If you type "Secpol.msc" on the Run line, and goto Local policies, then the audit settings, you'll see you can set sucess/failure for various variables... set these on the work stations as well as the DC or server, if not set already. If it is set already... and you don't see any failures in the logs, it may not be the "password attemps" setting. The password attempts can be set with Usrmgr in the 2000 resource kit, and complexity requirements can be set using the passfilt.dll.
http://is-it-true.org/nt/atips/atips93.shtml
http://windows.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/meta_bestpractices.htm

However if it's not the failed logon's being exceeded... I'm not sure what it would be.. other than a hacker, or a program trying to use hardcoded username and pass to do something. you could set up Etherreal on the server in question and see if you log any unautorized IPs or traffic...
GL!
-rich
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses
Course of the Month14 days, 19 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question