Solved

mysterious account lockouts

Posted on 2007-11-29
7
371 Views
Last Modified: 2012-05-05
Let me first tell you what is NOT the problem: users mistyping or forgetting their passwords. The lockouts are happening while users are logged on. I will unlock a user, and a few minutes later, the account is locked again. The lockouts are happening in a single department (Customer Service) and only some of the users are getting locked out repeatedly. There are 15 people in the department, but only about 5 are being repeatedly locked out.

The first question I asked myself was what did I change? Recently, I installed a .NET based rate calculator app from UPS on all machines in the department. However, the problem did not immediately appear after I installed the app.  A few weeks before that, I upgraded both of my W2K3 Domain Controllers to SP2.

If it is the new app, I'd like some definitive proof that it is the cause before I remove it. If I can't find proof, then i guess my next step will be to uninstall the app on a couple of the PCs that are affected and see if the problem goes away.

More on the environment: I have a single domain with 2 domain controllers, running in 2003 mode. All clients in the Customer Service Department are running XP SP2. My print and file servers are running 2003 with a mix of SP1 and SP2. I have a 2003 SP1 SQL server running MSSQL 2000 STD SP3. I do not have Exchange.

What I have tried: I have installed Mcrosoft's ALockout.dll tool on several of the affected machines, as well as enabling netlogon debugging on those machines. I have also enabled netlogon debugging on both Domain Controllers. However, I am struggling with the interpretation of these logs.
0
Comment
Question by:porkerjoe
7 Comments
 
LVL 15

Accepted Solution

by:
JimboEfx earned 125 total points
Comment Utility
I have recently come across this product but have not tried:

http://www.motivatesystems.com/Lockout_Inspector.asp
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 125 total points
Comment Utility
This sort of thing is often a result to users setting up a scheduled task and supplying it with credentials and then subsequently changing their password,  resulting in a task that keeps trying to  run with the wrong password and the account gets locked
0
 
LVL 1

Author Comment

by:porkerjoe
Comment Utility
It is not the scheduled tasks - checked that already.

I will take a look at the Lockout Inspector tool - it looks like it is a full function 30-day trial. However, I don't think it will provide me the source of the lockout - only the IP address. I need to pin down what it is on the machine that is sending the credentials.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 125 total points
Comment Utility
The most common cause is something which is supplying incorrect credentials. I have often seen users bringing their home laptops in, mapping drive letters and entering their domain credentials, then changing their domain password but not updating their laptop. This obviously means it will try to map the drive and you will get account lockouts. I doubt that is the case here though as it is only one department.

Look at any programs which may have domain credentials hard programmed. When did the affected users last change their passwords, it may be that the hard programmed credentials are incorrect?

-tigermatt
0
 
LVL 1

Author Comment

by:porkerjoe
Comment Utility
The new app that I recently installed does not store domain credentials. I don't think I've introduced any other new apps...I also can't think of any apps that used stored credentials.

The user who was first experiencing difficulties and was the reason I discovered the issue - his password was changed on Nov 3. Issues did not start happening until around the 20th.

None of the PCs in question are laptops, and I have not seen any extra mapped drives that users configured themselves.

All users in the company have drives mapped by logon scripts. I did not think to mention this before, but it might be relevant.

0
 
LVL 3

Assisted Solution

by:l84work
l84work earned 125 total points
Comment Utility
Rename the user account names.  If lock out continues, then you know it's not some type of cached credentials.
0
 
LVL 1

Author Comment

by:porkerjoe
Comment Utility
It turned out to be that my two domain controllers had stopped replicating with each other. As soon as I corrected that and had the problem users change their passwords, the account lockouts went away.

Thanks to all who chimed in. I'll split the points between all contributors. The first person who has already posted who posts the following will get the nod for the correct answer:

Check Replication between your domain contollers.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now