user keep getting locked out

I had a 2003 domain with 2 DC one 2003 termin server  one 2003 exchange standard another 2003 member server and  two 2008 member server, I install two new 2008 server and run dcpromo (did all thw AD prep) and tranfered all roles from the 2003 DC to the 2008 DC
and removed one of the 2003 DC and I also remove dns from the 2003 dc and just have it the two 2008 DC. i then install a 2008 enterprze server with exchange 2010 enterprize, i still have the 2003 exchange with a few users on it. I now have users being locked out, I have remote user being locked out when connecting to 2003 terminal server. some user keep having the problem a few times aday and other have the problem every now and then, the users that are locked out are on window xp sp3, I have a few windows 7 computers and these user have no problem.
I have no events about lock outs, I have a password policy but got rid of it and two week later still havethe problem.
I have used Alockstatus tool and when I check a locked ouy user it will show my 3 DC and show bad for each server and it will allso show that user password policy that I had  but I molonger have it.
jgajmaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
You need to determine the cause for the lockout
A tool to help you with that.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465

Does the remote user resumes a long running session while at the same time the user has changed their password within the initial login?

i.e. usera logs into terminal server and disconnects versus logs off from the session.
Days later usera logs in and is prompted based on password change policy that their password will expire in X number of days, or the password has expired and they must change the password.  Did the user change the password and once logged in, switches to the prior active session?

In this case as soon as usera switches to the long running session, the credentials that session has are no longer valid and will lockout the account on any attempt the user makes to access shared resources or any application/tool the user uses that makes authentication attempts to the DC.

One option is once the user resumes the session is to change their password yet again. The other option is to close the long running session.
0
e_aravindCommented:
In your case if IIS7.0 is involved then....
FIX: You receive the error message "HTTP Error 401.1 - Unauthorized" sooner than expected when you try to log on to an IIS 7.0 Web site by using invalid credentials
http://support.microsoft.com/kb/981280
0
jgajmaAuthor Commented:
Users logoff Ts correctly, the problem happen mostly with user in the office and they are not using ts.
They will loose access to shared files or if the log off when they logon again they do not have access the shared folder and files. if i use lockoutstatus tool it will show my two DC and under Bad password count it will show  3 for one dc and 2 for the other dc and the user as not used a bad password
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

jgajmaAuthor Commented:
I have used the altool.exe, here is a log file

Thu Dec 15 14:59:55 2011, PID:  4032, Thread:  4036, Image /S,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:00:53 2011, PID:   976, Thread:   980, Image winlogon.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:00:54 2011, PID:  1032, Thread:  1036, Image C:\WINDOWS\system32\lsass.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:00:54 2011, PID:  1020, Thread:  1024, Image C:\WINDOWS\system32\services.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:00:54 2011, PID:  1252, Thread:  1256, Image C:\WINDOWS\system32\svchost,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:00:54 2011, PID:  1316, Thread:  1320, Image C:\WINDOWS\system32\svchost,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:00:54 2011, PID:  1440, Thread:  1444, Image C:\WINDOWS\System32\svchost.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:00:54 2011, PID:  1592, Thread:  1596, Image C:\WINDOWS\system32\svchost.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:00:54 2011, PID:  1688, Thread:  1692, Image C:\WINDOWS\system32\svchost.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:00:55 2011, PID:  1820, Thread:  1824, Image C:\WINDOWS\system32\spoolsv.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:03 2011, PID:  1952, Thread:  1956, Image C:\WINDOWS\system32\svchost.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:04 2011, PID:   276, Thread:   292, Image c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:07 2011, PID:   340, Thread:   352, Image C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:07 2011, PID:   460, Thread:   464, Image C:\WINDOWS\system32\svchost.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:07 2011, PID:   732, Thread:   736, Image C:\WINDOWS\system32\fxssvc.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:07 2011, PID:   796, Thread:   808, Image C:\WINDOWS\system32\wuauclt.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:07 2011, PID:   820, Thread:   824, Image C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:10 2011, PID:  2032, Thread:  2036, Image C:\Program Files\Trend Micro\Client Server Security Agent\ncfg.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:10 2011, PID:  2032, Thread:  2036, Image C:\Program Files\Trend Micro\Client Server Security Agent\ncfg.exe,ALOCKOUT.DLL - dll_process_detatch
Thu Dec 15 15:01:13 2011, PID:  1440, Thread:   776, Image C:\WINDOWS\System32\svchost.exe,***********************************************************
Thu Dec 15 15:01:13 2011, PID:  1252, Thread:  1300, Image C:\WINDOWS\system32\svchost,***StartServiceW Failed!*** (0), Service: Service: Windows Management Instrumentation (C:\WINDOWS\system32\svchost.exe -k netsvcs), RC was: The operation completed successfully.   (0), GLE was: An instance of the service is already running.   (1056)
Thu Dec 15 15:01:13 2011, PID:  1440, Thread:   776, Image C:\WINDOWS\System32\svchost.exe,* Service Failure - See System Log for Details (ID: 7000) *
Thu Dec 15 15:01:13 2011, PID:  1440, Thread:   776, Image C:\WINDOWS\System32\svchost.exe,***********************************************************
Thu Dec 15 15:01:13 2011, PID:  1440, Thread:   776, Image C:\WINDOWS\System32\svchost.exe,***StartServiceW Failed!*** (0), Service: Failed to get Service name, RC was: The operation completed successfully.   (0), GLE was: An instance of the service is already running.   (1056)
Thu Dec 15 15:01:13 2011, PID:   732, Thread:   736, Image C:\WINDOWS\system32\fxssvc.exe,ALOCKOUT.DLL - dll_process_detatch
Thu Dec 15 15:01:13 2011, PID:  1440, Thread:   776, Image C:\WINDOWS\System32\svchost.exe,***********************************************************
Thu Dec 15 15:01:13 2011, PID:  1440, Thread:   776, Image C:\WINDOWS\System32\svchost.exe,* Service Failure - See System Log for Details (ID: 7000) *
Thu Dec 15 15:01:13 2011, PID:  1440, Thread:   776, Image C:\WINDOWS\System32\svchost.exe,***********************************************************
Thu Dec 15 15:01:14 2011, PID:  1440, Thread:   776, Image C:\WINDOWS\System32\svchost.exe,***StartServiceW Failed!*** (0), Service: Failed to get Service name, RC was: Incorrect function.   (1), GLE was: The operation completed successfully.   (0)
Thu Dec 15 15:01:18 2011, PID:  1272, Thread:   876, Image \\arc-middlesex.org\SysVol\arc-middlesex.org\Policies\{BF8B69DD-34A3-424A-BE2C-11B9FEA63D9C}\Machine\Scripts\Startup\PushPrinterConnections.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:19 2011, PID:   736, Thread:   732, Image C:\WINDOWS\system32\wbem\wmiprvse.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:25 2011, PID:  2240, Thread:  2272, Image C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:28 2011, PID:  1272, Thread:   876, Image \\arc-middlesex.org\SysVol\arc-middlesex.org\Policies\{BF8B69DD-34A3-424A-BE2C-11B9FEA63D9C}\Machine\Scripts\Startup\PushPrinterConnections.exe,ALOCKOUT.DLL - dll_process_detatch
Thu Dec 15 15:01:29 2011, PID:   340, Thread:   396, Image C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe,***StartServiceW Failed!*** (0), Service: Service: Trend Micro Unauthorized Change Prevention Service ("C:\Program Files\Trend Micro\Client Server Security Agent\..\BM\TMBMSRV.exe" /service), RC was: Incorrect function.   (1), GLE was: The operation completed successfully.   (0)
Thu Dec 15 15:01:50 2011, PID:   976, Thread:  1096, Image winlogon.exe,***StartServiceW Failed!*** (0), Service: Failed to get Service name, RC was: Incorrect function.   (1), GLE was: The operation completed successfully.   (0)
Thu Dec 15 15:01:51 2011, PID:  3344, Thread:  3348, Image C:\WINDOWS\system32\WgaTray.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:53 2011, PID:  3512, Thread:  3516, Image C:\WINDOWS\system32\wbem\wmiprvse.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:01:56 2011, PID:  3344, Thread:  3348, Image C:\WINDOWS\system32\WgaTray.exe,ALOCKOUT.DLL - dll_process_detatch
Thu Dec 15 15:01:59 2011, PID:  3628, Thread:  3632, Image C:\WINDOWS\Explorer.EXE,UserName: mis, Computer Name: ARC-D9LCVDF1, Version: Microsoft Windows XP Professional ,Logon Server: \\ARC1 - ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:01 2011, PID:  3756, Thread:  3760, Image /S,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:01 2011, PID:  3788, Thread:  3792, Image /S,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:01 2011, PID:  3880, Thread:  3884, Image C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:02 2011, PID:  3912, Thread:  3916, Image C:\WINDOWS\system32\mobsync.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:03 2011, PID:  3948, Thread:  3952, Image C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:03 2011, PID:  3896, Thread:  3900, Image C:\Program Files\Analog Devices\Core\smax4pnp.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:03 2011, PID:   324, Thread:   372, Image C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:04 2011, PID:   324, Thread:   372, Image C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe,ALOCKOUT.DLL - dll_process_detatch
Thu Dec 15 15:02:04 2011, PID:   432, Thread:   512, Image C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:04 2011, PID:   904, Thread:  1532, Image C:\WINDOWS\system32\imapi.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:05 2011, PID:  1252, Thread:  1300, Image C:\WINDOWS\system32\svchost,***StartServiceW Failed!*** (0), Service: Service: IMAPI CD-Burning COM Service (C:\WINDOWS\system32\imapi.exe), RC was: Incorrect function.   (1), GLE was: The operation completed successfully.   (0)
Thu Dec 15 15:02:05 2011, PID:   432, Thread:   512, Image C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe,ALOCKOUT.DLL - dll_process_detatch
Thu Dec 15 15:02:08 2011, PID:  3912, Thread:  3916, Image C:\WINDOWS\system32\mobsync.exe,ALOCKOUT.DLL - dll_process_detatch
Thu Dec 15 15:02:10 2011, PID:  2116, Thread:  2120, Image C:\WINDOWS\system32\wuauclt.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:12 2011, PID:  2156, Thread:  2160, Image /S,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:12 2011, PID:  2224, Thread:  2228, Image /S,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:12 2011, PID:   904, Thread:  1532, Image C:\WINDOWS\system32\imapi.exe,ALOCKOUT.DLL - dll_process_detatch
Thu Dec 15 15:02:13 2011, PID:  1876, Thread:  2300, Image /S,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Dec 15 15:02:14 2011, PID:  2360, Thread:   956, Image /S,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
0
e_aravindCommented:
IMO, Microsoft recommends a value of 10 for the account lockout

Reference:
Configuring Account Lockout
http://technet.microsoft.com/en-us/library/cc737614(WS.10).aspx

Troubleshooting Account Lockout
http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
Refer: Common Causes for Account Lockouts
0
arnoldCommented:
Does the TS profile and the workstation profile one and the same or does the user have a separate terminal service profile with folder redirection?

The issue is that the terminal server and the workstations write into the ntuser file which messes it up i.e. it has server related entries for the hkcurrent user and workstation related stuff.

It is best to separate the profiles between/among the platforms.

Did you isolate based on the security event log entries from which system the failed login/logout resource access events are comming from?
is it from the terminal server or is it from the workstation or workstations?

Are there any possibility that this user's account is/was being used as a service?
0
jgajmaAuthor Commented:
ts profile are different, this is also happening with user that do not us ts and have no ts profile, also I removed my password policy 3 week ago and server have been rebooted. no user account are used as a service
0
arnoldCommented:
Account lockout occur often because there are save credentials that are different than the user's current account.
Have all user change/update their password.
And see if that fixes the issue.
Do the users have password never expires option selected?

Use GPMC to see whether your password policy is off or is simply applies from the default domain policy.
0
jgajmaAuthor Commented:
yes the user that have the problem have been set to  password never expires, i did this to see if anything would change but that did not make a difference. this problem started after I upgrade to windows 2008 domain, I had a gpo for a password policy, I also remove the password policy.
and I removed the last 2003 domain controll using dcpromo and I have shut down the server and I still have the problem
0
arnoldCommented:
Just to be clear, the password was set to conform with the password expiration policy.
You've since made the adjustment.
Use the lockout tool to determine the source of the requests that the DC is seeing which leads to the account lockout.

Removing systems does not resolve the issue unless the system you remove is the one causing the lockout issues.
can you check each of these users keymgr.dll (control keymgr.dll) to make sure they do not have saved credentials for various shares.

First you must determine the source of the requests that lead to the issue.
This could be that you have an internal web site that should not but does use integrated authentication while the users have saved credentials for the site which was not using integrated authentication before.
check IIS 7.x and disable integrated auth if unneeded and if not used.

0
jgajmaAuthor Commented:
I have checked to users keymgr.dll and they have no saved credentials and shares have ne saved credential.
0
arnoldCommented:
What about the cause the user is being locked out and the source of the requests that lead to the lockout?
lockoutstatus will tell you which DC system locked the account.

using the eventcombmt look in the security event log, failure audit, event 675, Security as the source.
Comb through the DCs.
Then look at the results from the system that locked the account and see where the failed requests are comming from.  ALTool once extracted has a pair of zip files that once the DLL is registered on the offending system, you can further isolate the cause.

I've not seen these options for a windows 7 system.

But determining the source of the requests will narrow the issue to possibly a few workstations versus every workstation.

Pick one and check for virus etc.
0
jgajmaAuthor Commented:
another issue I have which my be related is that other user loose there connection,
they will be working and outlook will start asking for a password and they cant connect to netwoek shares but when this happens they can ping any server or computer on the network
0
arnoldCommented:
The server/s where the shares are might have stale session or if you have multiple DC, your DC's might be out of sync.

Were you able to determine which DC is locking the user accounts?

dcdiag
0
jgajmaAuthor Commented:
Both dc's are locking out the accounts,  If you look back at one of my post from 12/21/11 I post the log file from the altool from one of the computers that are locked out, i do not see anything in this file as to why. and the only thing in the event logs on the workstation when this happens is RAS man errors.

also I have a new problem , today some of the users that get locked out could not logon, they would get the following error  there is no trust relationship between this workstation and the domain controller. I am able to log on as Admin so I removed the wrokstation from the domain then rebooted and made sure the computer account was removed then I added the computer into the domain and they are able to logon
0
arnoldCommented:
In the log you posted you have several service startup failures.

What is the event that leads to the lockout which can only be seen in the security event log on the DCs?

Can you match the events in the DC's security log with the information from the account lockout data from the system to see what it was doing at the time?
I.e. what was being attempted on the workstation/system when the login attempts were being sent to the DCs?

What type of login type 2,32,4, etc.?

Interactive/network
http://www.windowsecurity.com/articles/logon-types.html

Does each user have its own sql instance?

0
jgajmaAuthor Commented:
the only thing the dc sercurity logtells me is the account was locked
0
arnoldCommented:
Do you have login/logout events in the security log on the DC EVEnt ID 675?
DO you have Failed Audit events dealing with login/logout.
Before the lockout there have to be login/logout events that detail the username, logon type, source of the request, and what is being accessed if this is not an interactive login but an issue with accessing a resource where the credentials provided on behalf of the user are wrong.
0
jgajmaAuthor Commented:
all I get is event 4740 user acount locked does not said which account but the time stamp is the same that is in acount lockstatus
0
arnoldCommented:
Do you have login/logout auditing enabled?
Do you have 528, 538, 540, , etc. events in the security log on the DCs? The show when a user login and the type is attempted which includes the source of the request such that using this information you can narrow the issue down to a system.

http://www.tomshardware.com/forum/225555-46-auditing-user-logon-logoff-events

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740
4767 when account unlocks.
0
jgajmaAuthor Commented:
Yes I have login/logout auditing enabled, the only event I get is the 4767
0
arnoldCommented:
4767 is the lockout event, you have to have on the DC's the events that deal with login/logout requests 538,528,etc.
Do you have any failed security events login/logout on the DCs?
0
jgajmaAuthor Commented:
no i do nt have any 538, 528, etc
0
arnoldCommented:
This is part of the Auditing policy. Do you have login/logout success/failure options?


http://blogs.msdn.com/b/ericfitz/archive/2008/08/20/tracking-user-logon-activity-using-logon-events.aspx

Look for 4624/4634 kept going back to pre win2k8 event ids.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.