Solved

mysterious account lockouts

Posted on 2007-11-29
7
375 Views
Last Modified: 2012-05-05
Let me first tell you what is NOT the problem: users mistyping or forgetting their passwords. The lockouts are happening while users are logged on. I will unlock a user, and a few minutes later, the account is locked again. The lockouts are happening in a single department (Customer Service) and only some of the users are getting locked out repeatedly. There are 15 people in the department, but only about 5 are being repeatedly locked out.

The first question I asked myself was what did I change? Recently, I installed a .NET based rate calculator app from UPS on all machines in the department. However, the problem did not immediately appear after I installed the app.  A few weeks before that, I upgraded both of my W2K3 Domain Controllers to SP2.

If it is the new app, I'd like some definitive proof that it is the cause before I remove it. If I can't find proof, then i guess my next step will be to uninstall the app on a couple of the PCs that are affected and see if the problem goes away.

More on the environment: I have a single domain with 2 domain controllers, running in 2003 mode. All clients in the Customer Service Department are running XP SP2. My print and file servers are running 2003 with a mix of SP1 and SP2. I have a 2003 SP1 SQL server running MSSQL 2000 STD SP3. I do not have Exchange.

What I have tried: I have installed Mcrosoft's ALockout.dll tool on several of the affected machines, as well as enabling netlogon debugging on those machines. I have also enabled netlogon debugging on both Domain Controllers. However, I am struggling with the interpretation of these logs.
0
Comment
Question by:porkerjoe
7 Comments
 
LVL 15

Accepted Solution

by:
JimboEfx earned 125 total points
ID: 20375189
I have recently come across this product but have not tried:

http://www.motivatesystems.com/Lockout_Inspector.asp
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 125 total points
ID: 20375191
This sort of thing is often a result to users setting up a scheduled task and supplying it with credentials and then subsequently changing their password,  resulting in a task that keeps trying to  run with the wrong password and the account gets locked
0
 
LVL 1

Author Comment

by:porkerjoe
ID: 20375395
It is not the scheduled tasks - checked that already.

I will take a look at the Lockout Inspector tool - it looks like it is a full function 30-day trial. However, I don't think it will provide me the source of the lockout - only the IP address. I need to pin down what it is on the machine that is sending the credentials.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 125 total points
ID: 20375931
The most common cause is something which is supplying incorrect credentials. I have often seen users bringing their home laptops in, mapping drive letters and entering their domain credentials, then changing their domain password but not updating their laptop. This obviously means it will try to map the drive and you will get account lockouts. I doubt that is the case here though as it is only one department.

Look at any programs which may have domain credentials hard programmed. When did the affected users last change their passwords, it may be that the hard programmed credentials are incorrect?

-tigermatt
0
 
LVL 1

Author Comment

by:porkerjoe
ID: 20376536
The new app that I recently installed does not store domain credentials. I don't think I've introduced any other new apps...I also can't think of any apps that used stored credentials.

The user who was first experiencing difficulties and was the reason I discovered the issue - his password was changed on Nov 3. Issues did not start happening until around the 20th.

None of the PCs in question are laptops, and I have not seen any extra mapped drives that users configured themselves.

All users in the company have drives mapped by logon scripts. I did not think to mention this before, but it might be relevant.

0
 
LVL 3

Assisted Solution

by:l84work
l84work earned 125 total points
ID: 20390441
Rename the user account names.  If lock out continues, then you know it's not some type of cached credentials.
0
 
LVL 1

Author Comment

by:porkerjoe
ID: 20444670
It turned out to be that my two domain controllers had stopped replicating with each other. As soon as I corrected that and had the problem users change their passwords, the account lockouts went away.

Thanks to all who chimed in. I'll split the points between all contributors. The first person who has already posted who posts the following will get the nod for the correct answer:

Check Replication between your domain contollers.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question