Solved

Windows SBS 2003 Account Lockout

Posted on 2006-11-05
18
437 Views
Last Modified: 2012-06-27
Hello Experts,

So here's the deal: One of the user profiles in our SBS environment is having trouble.  She's also the boss's wife.  And my mother.  I'm under a lot of presser here ;-)

The trouble she's having is that whenever she logs in to the domain, she is immediately locked out of her shared drives (created by remote script) and her Exchange account wont launch into outlook (gives here a user/pass login popup).  Even when entering the correct information, her account is still unavailable.

I'm stumped.  I've searched the boards up and down and can't quite find the solution I'm looking for.  The *closest* I think I got was a solution that suggested modify the profile login script to remove all the shares.  I've done that and also deleted the NTUSER.dat files from the server share.  While it seems to have taken away all the shared drive, the same problems occur: she still can't use outlook and she still can't look to the domain for resources and her account gets locked out again.

We recently had a harddrive meltdown and had to rebuild/ghost the RAID to a new set of drives, but she's the only user with these difficulties.

Thanks in advance!
AC
0
Comment
Question by:bigzippy
  • 7
  • 4
  • 4
  • +1
18 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17877700
couple of troubleshooting points - i would check the DC's logs and see if there any security failings from her machine, i would also reset the machine account and rejoin the domain
0
 

Author Comment

by:bigzippy
ID: 17877956
There are security issues in the logs based on her roaming profile... Also, it doesnt seem to matter where she logs in from.. I actually built a brand new box today, joined it to the n/w - still the same troubles, so I'm pretty sure it's not the box..
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 17878256
It sounds like her SID is corrupt.  Can you create a new user and redirect it to her share and mailbox?

/F
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 17878262
It sounds like her SID is corrupt.  Can you create a new user and redirect it to her share and mailbox?

/F
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17878299
whats the sec error?
did you use the connect computer wizard to join her in?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17879120
Has this only been tested on a single workstation?  If so, what happens if she logs into a different workstation (You might want to add her into the local administrators group on a different computer before testing this... so that there are NO differences compared to what SHOULD be expected).

If that works... then follow these steps to rejoin her primary computer to the network properly:

At the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5.  Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer

Jeff
TechSoEasy
0
 

Author Comment

by:bigzippy
ID: 17880156
Sure are a lot of thoughts here... I'll address them each here:

Firebar: This was my first thought too.  However, is there a way to have this work so that it's transparent to the end user?  In other words, can she still keep her login name, e-mail address, etc?  Alternatively, if I remove her profile from the users section of the management console, does it delete her files and/or exchange mailbox?

Jay Jay70: The error in the logs is as follows -

###Begin###
Account Lockout (Event ID: 539)

An account was locked out due to multiple failed logon attempts that occurred in a short period of time. This may occur if an unauthorized user attempts to gain access to the network.

For more information about this event, see the event logs on the server computer.

You can disable this alert by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.

###end###

Jeff:
This is not unique to one machine, but rather happens across her roaming profile.  I actually built a brand new box yesterday and added her to it from scratch (completely unique name) - still the same errors.

Thanks!
A
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 17880453
If you delete her account, then yes her mailbox will go as well.  Create another account that is similar in evey aspect except login name.  That is where active directory draws the line, the user's "distinquished name".

0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:bigzippy
ID: 17880947
Firebar - thanks for the quick update - what next?  I know how to have the new account take posession of her profile, but what about her mailbox?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 17881179
You can import it via Outlook, or move it from Active Directory - User - Exchange Tasks

/F
0
 

Author Comment

by:bigzippy
ID: 17882413
OK - and if I then remove the first (corrupt) user, will it still delete the mailbox once I've transferred it?  i.e. can I create a profile called %user%Temp, transfer everything over, remove the %user% profile, recreate it and then transfer back from %user%Temp?

A
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17886084
You say you built a new box yesterday with a completely unique name... but

Did you add it to your server using the add-computer wizard?

Did you join it to the network using http://<servername>/connectcomputer?

Are you using the add-user wizard to add users to your Active Directory?

If not, you are probably using the wrong OU's for SBS to function properly.

Jeff
TechSoEasy
0
 

Author Comment

by:bigzippy
ID: 17886197
Hi Jeff,

I built a new box yesterday (actually, I didn't build it, someone else did, but...) here's the process I went through:

I added a computer with the name DESK012 to the SBS server.
I turned on the computer, and using IE went to http://<servername>/connectcomputer (I used our real servername) and followed the on-screen directions.
The computer restarted and it had it's new name and was joined to our domain/AD...

I also have a process I follow for 'creating' new users that includes the add-user wizard from the console.  I added a new hire very recently and her roaming profile is peachy...

I could be HUGELY mistaken here, but I suspect that the issue is with the roaming profile rather than the specific machine.  I say this only because I know that accounts are able to successfully authenticate into AD on each of these boxes except for this particular one, which has problems on every box it logs into...

Does this make sense or am I off base here?

Thanks in advance!
A
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17886316
Well, it very well may be due to the roaming profile.  Please review the Roaming Profiles section of this document to be sure you've set things up correctly for SBS:  http://sbsurl.com/postinstall

Jeff
TechSoEasy
0
 

Author Comment

by:bigzippy
ID: 17886344
OK - I should also say that this profile has been working for 2 years and just recently stopped... Again, I suspect corruption and would love to know if there's a way to 'cleanse' a roaming profile...  I'll also try Firebar's suggestion and review the document that is referenced above...

Any further insights will be appreciated, but I will try the above and award points as the solution presents itself.

A
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 17896777
You can't 'cleanse' a roaming profile, you would need to rebuild it.  However, I think you're getting answers that you don't want because you are doing things in a manner which may be causing the problem to begin with.

If you are going to rebuild you should use EXMerge to export her mailbox to a .pst file which can then be imported back again with EXMerge.
http://www.msexchange.org/tutorials/ExMerge-Recover-Mailbox.html

You could also use XP's Files and Settings Transfer Wizard to save and restore her profile settings.

Jeff
TechSoEasy
0
 

Author Comment

by:bigzippy
ID: 17969121
I have successfully migrated the exchange mailbox to another account using EXMerge.  Next, I'm going to create a new account for her, backup her My Documents Data and transfer everything to that new account.

Thanks!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now