?
Solved

User accounts "locked"

Posted on 2009-04-03
3
Medium Priority
?
381 Views
Last Modified: 2012-06-27
I have my LAN Domain, and my DMZ Domain separated via firewall. There is a terminal server in the DMZ, accessible via the Internet, and the LAN. When users in the LAN connect via RDP to the Terminal Server in the DMZ, they must use there user account in the DMZ, as there is no domain trust between LAN and DMZ domains. Users can also map a network drive from there LAN PC's to the server share in the DMZ, again, using there DMZ credentials to connect.

Problem:
LAN users that connect to the Terminal Server, are consistently finding that their user accounts are locked out. I have other users that use servers in the DMZ domain (Sharepoint), and none of them have this problem. Why are the Terminal Server user accounts being locked out so frequently?

Is it that the users are simply forgetting their passwords, or does it have something to do with the combination of using Remote Desktop, and mapping a network drive to the same server? If a drive is mapped from the LAN to a server in the DMZ, will Windows Explorer try to verify the directory and attempt a logon, each time they open "My Computer" ?

Any ideas or suggestions are appreciated.
0
Comment
Question by:mahjohn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 9

Accepted Solution

by:
cmorffew earned 2000 total points
ID: 24065390
0
 
LVL 14

Expert Comment

by:top_rung
ID: 24065418
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24067543
Check the event logs on the DC for failed logon attempts for the users being locked out. The event log will give you a logon type number - this will help you identify the type of logon that is failing.
See here for the type codes: http://www.windowsecurity.com/articles/Logon-Types.html
For example - if you see a lot of failed logons with type 3, it's likely that it's bad credentials being use to map to a shared drive. It's worth checking cached credentials on the users' machines (Control Panel | User Accounts | Advanced | Manage passwords) - you can clear the cache if you think it's holding bad credentials.
In answer to your question about the mappings, yes, each time you try to connect to a share, a logon is attempted. Depending on how the drive is mapped originally, you'll either be using the credentials of the currently logged on user, or alternate credentials can be specified when the drive is originally mapped - if this is the case it could be that these are now out of date.
I don't think the fact that they are using RDP will have any bearing on why it's failing though...
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Course of the Month10 days, 11 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question