Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 445
  • Last Modified:

Windows SBS 2003 Account Lockout

Hello Experts,

So here's the deal: One of the user profiles in our SBS environment is having trouble.  She's also the boss's wife.  And my mother.  I'm under a lot of presser here ;-)

The trouble she's having is that whenever she logs in to the domain, she is immediately locked out of her shared drives (created by remote script) and her Exchange account wont launch into outlook (gives here a user/pass login popup).  Even when entering the correct information, her account is still unavailable.

I'm stumped.  I've searched the boards up and down and can't quite find the solution I'm looking for.  The *closest* I think I got was a solution that suggested modify the profile login script to remove all the shares.  I've done that and also deleted the NTUSER.dat files from the server share.  While it seems to have taken away all the shared drive, the same problems occur: she still can't use outlook and she still can't look to the domain for resources and her account gets locked out again.

We recently had a harddrive meltdown and had to rebuild/ghost the RAID to a new set of drives, but she's the only user with these difficulties.

Thanks in advance!
AC
0
bigzippy
Asked:
bigzippy
  • 7
  • 4
  • 4
  • +1
1 Solution
 
Jay_Jay70Commented:
couple of troubleshooting points - i would check the DC's logs and see if there any security failings from her machine, i would also reset the machine account and rejoin the domain
0
 
bigzippyAuthor Commented:
There are security issues in the logs based on her roaming profile... Also, it doesnt seem to matter where she logs in from.. I actually built a brand new box today, joined it to the n/w - still the same troubles, so I'm pretty sure it's not the box..
0
 
Jason WatkinsIT Project LeaderCommented:
It sounds like her SID is corrupt.  Can you create a new user and redirect it to her share and mailbox?

/F
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Jason WatkinsIT Project LeaderCommented:
It sounds like her SID is corrupt.  Can you create a new user and redirect it to her share and mailbox?

/F
0
 
Jay_Jay70Commented:
whats the sec error?
did you use the connect computer wizard to join her in?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Has this only been tested on a single workstation?  If so, what happens if she logs into a different workstation (You might want to add her into the local administrators group on a different computer before testing this... so that there are NO differences compared to what SHOULD be expected).

If that works... then follow these steps to rejoin her primary computer to the network properly:

At the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5.  Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer

Jeff
TechSoEasy
0
 
bigzippyAuthor Commented:
Sure are a lot of thoughts here... I'll address them each here:

Firebar: This was my first thought too.  However, is there a way to have this work so that it's transparent to the end user?  In other words, can she still keep her login name, e-mail address, etc?  Alternatively, if I remove her profile from the users section of the management console, does it delete her files and/or exchange mailbox?

Jay Jay70: The error in the logs is as follows -

###Begin###
Account Lockout (Event ID: 539)

An account was locked out due to multiple failed logon attempts that occurred in a short period of time. This may occur if an unauthorized user attempts to gain access to the network.

For more information about this event, see the event logs on the server computer.

You can disable this alert by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.

###end###

Jeff:
This is not unique to one machine, but rather happens across her roaming profile.  I actually built a brand new box yesterday and added her to it from scratch (completely unique name) - still the same errors.

Thanks!
A
0
 
Jason WatkinsIT Project LeaderCommented:
If you delete her account, then yes her mailbox will go as well.  Create another account that is similar in evey aspect except login name.  That is where active directory draws the line, the user's "distinquished name".

0
 
bigzippyAuthor Commented:
Firebar - thanks for the quick update - what next?  I know how to have the new account take posession of her profile, but what about her mailbox?
0
 
Jason WatkinsIT Project LeaderCommented:
You can import it via Outlook, or move it from Active Directory - User - Exchange Tasks

/F
0
 
bigzippyAuthor Commented:
OK - and if I then remove the first (corrupt) user, will it still delete the mailbox once I've transferred it?  i.e. can I create a profile called %user%Temp, transfer everything over, remove the %user% profile, recreate it and then transfer back from %user%Temp?

A
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You say you built a new box yesterday with a completely unique name... but

Did you add it to your server using the add-computer wizard?

Did you join it to the network using http://<servername>/connectcomputer?

Are you using the add-user wizard to add users to your Active Directory?

If not, you are probably using the wrong OU's for SBS to function properly.

Jeff
TechSoEasy
0
 
bigzippyAuthor Commented:
Hi Jeff,

I built a new box yesterday (actually, I didn't build it, someone else did, but...) here's the process I went through:

I added a computer with the name DESK012 to the SBS server.
I turned on the computer, and using IE went to http://<servername>/connectcomputer (I used our real servername) and followed the on-screen directions.
The computer restarted and it had it's new name and was joined to our domain/AD...

I also have a process I follow for 'creating' new users that includes the add-user wizard from the console.  I added a new hire very recently and her roaming profile is peachy...

I could be HUGELY mistaken here, but I suspect that the issue is with the roaming profile rather than the specific machine.  I say this only because I know that accounts are able to successfully authenticate into AD on each of these boxes except for this particular one, which has problems on every box it logs into...

Does this make sense or am I off base here?

Thanks in advance!
A
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, it very well may be due to the roaming profile.  Please review the Roaming Profiles section of this document to be sure you've set things up correctly for SBS:  http://sbsurl.com/postinstall

Jeff
TechSoEasy
0
 
bigzippyAuthor Commented:
OK - I should also say that this profile has been working for 2 years and just recently stopped... Again, I suspect corruption and would love to know if there's a way to 'cleanse' a roaming profile...  I'll also try Firebar's suggestion and review the document that is referenced above...

Any further insights will be appreciated, but I will try the above and award points as the solution presents itself.

A
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You can't 'cleanse' a roaming profile, you would need to rebuild it.  However, I think you're getting answers that you don't want because you are doing things in a manner which may be causing the problem to begin with.

If you are going to rebuild you should use EXMerge to export her mailbox to a .pst file which can then be imported back again with EXMerge.
http://www.msexchange.org/tutorials/ExMerge-Recover-Mailbox.html

You could also use XP's Files and Settings Transfer Wizard to save and restore her profile settings.

Jeff
TechSoEasy
0
 
bigzippyAuthor Commented:
I have successfully migrated the exchange mailbox to another account using EXMerge.  Next, I'm going to create a new account for her, backup her My Documents Data and transfer everything to that new account.

Thanks!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now