Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

AD user account lockout when making VPN connection from Vista PC

Posted on 2009-07-10
2
Medium Priority
?
953 Views
Last Modified: 2012-05-07
Hi,

We are in the process of upgrading our laptops/desktops to Windows Vista and I have now installed the first Vista laptop (name COMP-PC1). This laptop has an admin account and a roaming profile for my domain account (COMPDOM\myaccount).

Whenever a VPN connection is made from that laptop to our network (using aXsGuard VPN), my domain account gets locked out. I enabled netlogon logging as suggested in many solutions to this problem, and I am 100% sure that it is this one Vista laptop that is causing the problem.

This is what I get in netlogon.log:
07/10 11:40:05 [LOGON] COMPDOM: SamLogon: Network logon of COMP-PC1\myaccount from COMP-PC1 Entered
07/10 11:40:05 [LOGON] COMPDOM: NlPickDomainWithAccount: COMP-PC1\myaccount: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
07/10 11:40:05 [LOGON] COMPDOM: SamLogon: Network logon of COMP-PC1\myaccount from COMP-PC1 Returns 0xC000006A

The strange thing is that the user account is COMP-PC1\myaccount, which does not exist as an account on the laptop. This account "myaccount" is an AD user account in domain COMP.

So I am 100% sure that the vista laptop is causing the problem, but how do I proceed to find which software is sending the wrong user account/password?

This laptop was installed using the admin account, and I am 99,99% sure that no services use myaccount. After all setup was done, I logged in with myaccount to get the roaming profile. This logon process maps some network drives using the account that logs in (these drive mappings are not persistent), but I don't think this should be the cause of the problem, as this lockout happens when logged in as admin on the laptop (and user myaccount is not logged in at that moment).


Kind regards,

Patrick Elsen
0
Comment
Question by:bemsofpe
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 24829699
The logon process mapping the drives is the cause of your problem as it will have remembered the username / password used (in this case the myaccount one).
For testing purposes - can you stop the drive mapping from occurring when loggin on and if your account does not get locked out - you know where the problem lies.
What you can do to resolve the problem is to delete the mappings from the client (net use * /delete /y)
then manually map the drives and force the username and password:
net use x: \\computer\share /user:domain\username password /persistent:yes - you can leave the persistent if you don't want it and obviously substitute the drive letter, computername, share name, domain, username and password.
Repeat this for all mapped drives and then logoff, logon on again using the logon script and the lockout should stop happening.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question