Account lockout, terminal services, not disconnected session.

[edavid3001]

We have been dealing with account lockout issues for well over a year.

After much analysis this is what I have discovered.

I normally am terminal serviced into SERVER1 is a disconnected state,
running workstation scanning software.

My password expired today (Netware grace loggons, AD not expired yet.)

I Terminal serviced into SERVER1 and logged out.

I ran PSLOGGEDON and verified I was not logged in at any location other
than my desk.

I did CNTL ALT DEL and changed my password on the Active directory
(Mixed mode.) as well as the Netware NDS and our eDirectory tree.

I rebooted my PC, and logged back on. I verified my password synced
across the domain controllers.

I terminal serviced into SERVER1 with my new password.

I started running my software scan.

Immediately my account became disabled. The event logs on our AD
server from which I got locked out show this;

Service Ticket Request Failed:
User Name: USER
User Domain: DOMAIN.COM
Service Name: HOST/PC1234
Ticket Options: 0x40810010
Failure Code: 0x12
Client Address: 192.168.3.10


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

USER is my user ID. DOMAIN.COM is my Active Directory Domain. PC1234
is the workstation I was attempting to scan. 192.168.3.10 is the IP
address of the SERVER1 where I run my scanning software.

So this tells me that when I logged out of Terminal Services (Not
disconnected) and verified via PSLOGGEDON and Terminal Services Manager
(from another admins desk) that I was not on this server, Windows still
kept my old credentials.

Even after logging on with my new password, Microsoft Windows 2000
server still attempts to use the last USERID/PWD that I connected to
this PC1234 with. I actually had to reboot the server to get past this
issue.

This seems to be a security bug to me.

Are there any known articles on fixing this? Much searching, and I
have not found anything just like this -- only the issue with
disconnected sessions.

Edwin Davidson.

 

[Brandon McCombs]

We have been dealing with account lockout issues for well over a year.

After much analysis this is what I have discovered.

I normally am terminal serviced into SERVER1 is a disconnected state,
running workstation scanning software.

My password expired today (Netware grace loggons, AD not expired yet.)

I Terminal serviced into SERVER1 and logged out.

I ran PSLOGGEDON and verified I was not logged in at any location other
than my desk.

I did CNTL ALT DEL and changed my password on the Active directory
(Mixed mode.) as well as the Netware NDS and our eDirectory tree.

I rebooted my PC, and logged back on. I verified my password synced
across the domain controllers.

I terminal serviced into SERVER1 with my new password.

I started running my software scan.

Immediately my account became disabled. The event logs on our AD
server from which I got locked out show this;

Is the account locked or disabled? there is a difference. If the account
is being locked you may be out of licenses. Did you change your password
AND have mapped drives using the old password?

 

[edavid3001]

Is the account locked or disabled? there is a difference. If the
account
Both. The account is locked out on the Active Directory because the
domain allows for only 3 password attempts before locking and disabling
the account.

We have more than plenty of licenses.

Yes, there were mapped drives. But I have NET USE /PERSISTENT:NO on
everything - all PC's and servers. Doubly verified on the ones in use.

I have to map these drives each time I log in.

And the resource in question that resulted in login failures using the
old password was using the administrative shared via UNC, not mappings.
Such as \\PCNAME\C$ as well as remote registry.

Edwin Davidson.