bigzippy
asked on
Windows SBS 2003 Account Lockout
Hello Experts,
So here's the deal: One of the user profiles in our SBS environment is having trouble. She's also the boss's wife. And my mother. I'm under a lot of presser here ;-)
The trouble she's having is that whenever she logs in to the domain, she is immediately locked out of her shared drives (created by remote script) and her Exchange account wont launch into outlook (gives here a user/pass login popup). Even when entering the correct information, her account is still unavailable.
I'm stumped. I've searched the boards up and down and can't quite find the solution I'm looking for. The *closest* I think I got was a solution that suggested modify the profile login script to remove all the shares. I've done that and also deleted the NTUSER.dat files from the server share. While it seems to have taken away all the shared drive, the same problems occur: she still can't use outlook and she still can't look to the domain for resources and her account gets locked out again.
We recently had a harddrive meltdown and had to rebuild/ghost the RAID to a new set of drives, but she's the only user with these difficulties.
Thanks in advance!
AC
So here's the deal: One of the user profiles in our SBS environment is having trouble. She's also the boss's wife. And my mother. I'm under a lot of presser here ;-)
The trouble she's having is that whenever she logs in to the domain, she is immediately locked out of her shared drives (created by remote script) and her Exchange account wont launch into outlook (gives here a user/pass login popup). Even when entering the correct information, her account is still unavailable.
I'm stumped. I've searched the boards up and down and can't quite find the solution I'm looking for. The *closest* I think I got was a solution that suggested modify the profile login script to remove all the shares. I've done that and also deleted the NTUSER.dat files from the server share. While it seems to have taken away all the shared drive, the same problems occur: she still can't use outlook and she still can't look to the domain for resources and her account gets locked out again.
We recently had a harddrive meltdown and had to rebuild/ghost the RAID to a new set of drives, but she's the only user with these difficulties.
Thanks in advance!
AC
Jay_Jay70
couple of troubleshooting points - i would check the DC's logs and see if there any security failings from her machine, i would also reset the machine account and rejoin the domain
ASKER
There are security issues in the logs based on her roaming profile... Also, it doesnt seem to matter where she logs in from.. I actually built a brand new box today, joined it to the n/w - still the same troubles, so I'm pretty sure it's not the box..
It sounds like her SID is corrupt. Can you create a new user and redirect it to her share and mailbox?
/F
/F
It sounds like her SID is corrupt. Can you create a new user and redirect it to her share and mailbox?
/F
/F
whats the sec error?
did you use the connect computer wizard to join her in?
did you use the connect computer wizard to join her in?
Has this only been tested on a single workstation? If so, what happens if she logs into a different workstation (You might want to add her into the local administrators group on a different computer before testing this... so that there are NO differences compared to what SHOULD be expected).
If that works... then follow these steps to rejoin her primary computer to the network properly:
At the client machine:
1. Log in with THAT machine's LOCAL administrator account.
2. Unjoin the domain into a WORKGROUP
3. Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4. Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5. Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6. Reboot
Then on the server, from the Server Management Console:
1. Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2. Add the client with it's NEW name using the Add Computer wizard
Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer
Jeff
TechSoEasy
If that works... then follow these steps to rejoin her primary computer to the network properly:
At the client machine:
1. Log in with THAT machine's LOCAL administrator account.
2. Unjoin the domain into a WORKGROUP
3. Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4. Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5. Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6. Reboot
Then on the server, from the Server Management Console:
1. Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2. Add the client with it's NEW name using the Add Computer wizard
Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer
Jeff
TechSoEasy
ASKER
Sure are a lot of thoughts here... I'll address them each here:
Firebar: This was my first thought too. However, is there a way to have this work so that it's transparent to the end user? In other words, can she still keep her login name, e-mail address, etc? Alternatively, if I remove her profile from the users section of the management console, does it delete her files and/or exchange mailbox?
Jay Jay70: The error in the logs is as follows -
###Begin###
Account Lockout (Event ID: 539)
An account was locked out due to multiple failed logon attempts that occurred in a short period of time. This may occur if an unauthorized user attempts to gain access to the network.
For more information about this event, see the event logs on the server computer.
You can disable this alert by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.
###end###
Jeff:
This is not unique to one machine, but rather happens across her roaming profile. I actually built a brand new box yesterday and added her to it from scratch (completely unique name) - still the same errors.
Thanks!
A
Firebar: This was my first thought too. However, is there a way to have this work so that it's transparent to the end user? In other words, can she still keep her login name, e-mail address, etc? Alternatively, if I remove her profile from the users section of the management console, does it delete her files and/or exchange mailbox?
Jay Jay70: The error in the logs is as follows -
###Begin###
Account Lockout (Event ID: 539)
An account was locked out due to multiple failed logon attempts that occurred in a short period of time. This may occur if an unauthorized user attempts to gain access to the network.
For more information about this event, see the event logs on the server computer.
You can disable this alert by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.
###end###
Jeff:
This is not unique to one machine, but rather happens across her roaming profile. I actually built a brand new box yesterday and added her to it from scratch (completely unique name) - still the same errors.
Thanks!
A
If you delete her account, then yes her mailbox will go as well. Create another account that is similar in evey aspect except login name. That is where active directory draws the line, the user's "distinquished name".
ASKER
Firebar - thanks for the quick update - what next? I know how to have the new account take posession of her profile, but what about her mailbox?
You can import it via Outlook, or move it from Active Directory - User - Exchange Tasks
/F
/F
ASKER
OK - and if I then remove the first (corrupt) user, will it still delete the mailbox once I've transferred it? i.e. can I create a profile called %user%Temp, transfer everything over, remove the %user% profile, recreate it and then transfer back from %user%Temp?
A
A
You say you built a new box yesterday with a completely unique name... but
Did you add it to your server using the add-computer wizard?
Did you join it to the network using http://<servername>/connectcomput
Are you using the add-user wizard to add users to your Active Directory?
If not, you are probably using the wrong OU's for SBS to function properly.
Jeff
TechSoEasy
Did you add it to your server using the add-computer wizard?
Did you join it to the network using http://<servername>/connectcomput
Are you using the add-user wizard to add users to your Active Directory?
If not, you are probably using the wrong OU's for SBS to function properly.
Jeff
TechSoEasy
ASKER
Hi Jeff,
I built a new box yesterday (actually, I didn't build it, someone else did, but...) here's the process I went through:
I added a computer with the name DESK012 to the SBS server.
I turned on the computer, and using IE went to http://<servername>/connectcomput
The computer restarted and it had it's new name and was joined to our domain/AD...
I also have a process I follow for 'creating' new users that includes the add-user wizard from the console. I added a new hire very recently and her roaming profile is peachy...
I could be HUGELY mistaken here, but I suspect that the issue is with the roaming profile rather than the specific machine. I say this only because I know that accounts are able to successfully authenticate into AD on each of these boxes except for this particular one, which has problems on every box it logs into...
Does this make sense or am I off base here?
Thanks in advance!
A
I built a new box yesterday (actually, I didn't build it, someone else did, but...) here's the process I went through:
I added a computer with the name DESK012 to the SBS server.
I turned on the computer, and using IE went to http://<servername>/connectcomput
The computer restarted and it had it's new name and was joined to our domain/AD...
I also have a process I follow for 'creating' new users that includes the add-user wizard from the console. I added a new hire very recently and her roaming profile is peachy...
I could be HUGELY mistaken here, but I suspect that the issue is with the roaming profile rather than the specific machine. I say this only because I know that accounts are able to successfully authenticate into AD on each of these boxes except for this particular one, which has problems on every box it logs into...
Does this make sense or am I off base here?
Thanks in advance!
A
Well, it very well may be due to the roaming profile. Please review the Roaming Profiles section of this document to be sure you've set things up correctly for SBS: http://sbsurl.com/postinstall
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
OK - I should also say that this profile has been working for 2 years and just recently stopped... Again, I suspect corruption and would love to know if there's a way to 'cleanse' a roaming profile... I'll also try Firebar's suggestion and review the document that is referenced above...
Any further insights will be appreciated, but I will try the above and award points as the solution presents itself.
A
Any further insights will be appreciated, but I will try the above and award points as the solution presents itself.
A
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have successfully migrated the exchange mailbox to another account using EXMerge. Next, I'm going to create a new account for her, backup her My Documents Data and transfer everything to that new account.
Thanks!
Thanks!