Account lockout, terminal services, not disconnected session.

  • Thread starter Thread starter edavid3001
  • Start date Start date
E

edavid3001

We have been dealing with account lockout issues for well over a year.

After much analysis this is what I have discovered.

I normally am terminal serviced into SERVER1 is a disconnected state,
running workstation scanning software.

My password expired today (Netware grace loggons, AD not expired yet.)

I Terminal serviced into SERVER1 and logged out.

I ran PSLOGGEDON and verified I was not logged in at any location other
than my desk.

I did CNTL ALT DEL and changed my password on the Active directory
(Mixed mode.) as well as the Netware NDS and our eDirectory tree.

I rebooted my PC, and logged back on. I verified my password synced
across the domain controllers.

I terminal serviced into SERVER1 with my new password.

I started running my software scan.

Immediately my account became disabled. The event logs on our AD
server from which I got locked out show this;

Service Ticket Request Failed:
User Name: USER
User Domain: DOMAIN.COM
Service Name: HOST/PC1234
Ticket Options: 0x40810010
Failure Code: 0x12
Client Address: 192.168.3.10


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

USER is my user ID. DOMAIN.COM is my Active Directory Domain. PC1234
is the workstation I was attempting to scan. 192.168.3.10 is the IP
address of the SERVER1 where I run my scanning software.

So this tells me that when I logged out of Terminal Services (Not
disconnected) and verified via PSLOGGEDON and Terminal Services Manager
(from another admins desk) that I was not on this server, Windows still
kept my old credentials.

Even after logging on with my new password, Microsoft Windows 2000
server still attempts to use the last USERID/PWD that I connected to
this PC1234 with. I actually had to reboot the server to get past this
issue.

This seems to be a security bug to me.

Are there any known articles on fixing this? Much searching, and I
have not found anything just like this -- only the issue with
disconnected sessions.

Edwin Davidson.
 
We have been dealing with account lockout issues for well over a year.

After much analysis this is what I have discovered.

I normally am terminal serviced into SERVER1 is a disconnected state,
running workstation scanning software.

My password expired today (Netware grace loggons, AD not expired yet.)

I Terminal serviced into SERVER1 and logged out.

I ran PSLOGGEDON and verified I was not logged in at any location other
than my desk.

I did CNTL ALT DEL and changed my password on the Active directory
(Mixed mode.) as well as the Netware NDS and our eDirectory tree.

I rebooted my PC, and logged back on. I verified my password synced
across the domain controllers.

I terminal serviced into SERVER1 with my new password.

I started running my software scan.

Immediately my account became disabled. The event logs on our AD
server from which I got locked out show this;

Is the account locked or disabled? there is a difference. If the account
is being locked you may be out of licenses. Did you change your password
AND have mapped drives using the old password?
 
Is the account locked or disabled? there is a difference. If the
account
Both. The account is locked out on the Active Directory because the
domain allows for only 3 password attempts before locking and disabling
the account.

We have more than plenty of licenses.

Yes, there were mapped drives. But I have NET USE /PERSISTENT:NO on
everything - all PC's and servers. Doubly verified on the ones in use.

I have to map these drives each time I log in.

And the resource in question that resulted in login failures using the
old password was using the administrative shared via UNC, not mappings.
Such as \\PCNAME\C$ as well as remote registry.

Edwin Davidson.
 
Back
Top