2 users getting locked out repeatedly

[Jeff Ferrell]

Greetings all,

I have a strange situation. I have 2 users only of about
75 that keep getting their accounted locked out. Happens
every day, typically after 4-5 hours of working atleast
or so it seems. They don't have bad password attempts, I
have tried to reset the account, expire the pwd and
change it, then the user would create a new password and
the following day at some point, while working, it would
lock her account.

It is a Win2000 network, 3 DC's, 1 of which is across a
T1 link. Both users are in the same OU. No one else in
that OU has issues, nor across the entire organization. 2
servers including the PDC are at SP4, the one across the
WAN link is at SP3. One person is typically only at one
computer while the other is often at 2 at the same time.

Any ideas what could be going on? The event logs seem
fine, no errors. She also mentioned this all started up 2
months ago after her password had expired.

As I type this, she mentioned it locked her out. I
searched the entire Event Viewer logs and only found her
account referenced for printing. This time she did
deliberatly put her password wrong 1 time, with 5 being
the point before lock out.

 

[Herb Martin]

Greetings all,

I have a strange situation. I have 2 users only of about
75 that keep getting their accounted locked out. Happens
every day, typically after 4-5 hours of working atleast
or so it seems. They don't have bad password attempts, I
have tried to reset the account, expire the pwd and
change it, then the user would create a new password and
the following day at some point, while working, it would
lock her account.

Other than the obvious (they're bad typists, or worse) then
perhaps they each have something running which is automated
with a "hard coded" (and wrong) password, or someone is
trying to hack their accounts.

Do you have logging on? "Account Logon Auditing"
Can you get their cooperation to record time\date of each
actual logon, # of attempts (keep it simple so they will do it.)

 

[Tomasz Onyszko]

Any ideas what could be going on? The event logs seem
fine, no errors. She also mentioned this all started up 2
months ago after her password had expired.

Check applications running on this users box'es - maybe some application
has a misspelled password entered and is locking out Your accounts.

OR somebody tries to break the passwords of this users with dictionary
or brute force method.

 

[Joe Richards [MVP]]

They may not be typing bad passwords but they are being sent. Look at the
badPwdCount attribute for the users on all of the DCs. You will probably see one
DC and the PDC with the value around the lockout policy amount.

Go to the non-PDC and dump the security event log and look for bad password
events. Of course this assumes you have bad logon attempts being logged, If you
don't, turn it on. That should tell you what machine is sending the bad
attempts. Then you start going over that machine with a fine tooth comb.

 

[serverguy]

Most likely the users are logged into other workstations or servers
unknowingly, so when they changed their passwords, those other workstations
can no longer authenticate them and locks em instead. The DC security log
should tell you where the login failures are coming from, just reboot those
machines when you find them. There is also a package called ALTools you can
download from MS that can be used to diagnose account lockouts.

 

[Guest]

Thanks, I will check out this tool, never can have too
many of those.

 

[Guest]

Thanks Joe and all for the responses. It was a scheduled
task to autolock the pc and the password was wrong I am
sure. I removed the task and it is solved.

I found a GREAT tool on this great website joeware.net
secdata that helped me watch the bad pwd count...and
ironically enough, I was on your site Joe before coming
here

Thanks again for all the replies.
jeff

 

[Joe Richards [MVP]]

Cool, glad to help out.

joe