Account Lockout

[MeB]

A user in active directory is logged on to the domain. He
then logs on to another server (not a DC) and is prompted
that his password will expire. He then changes the
password while logging on to that server. Whenever he
attempts to log on the the domain thereafter, his account
is locked out. Any idease on how to rectify this? Could it
be that an incorrect local password list or similar exists
that needs to be deleted? Thanks for any help

 

[Curtis Clay III [MSFT]]

Read the link below.

http://download.microsoft.com/download/3/9/e/39e76a67-f8e4-472e-8878-665b47579a33/ALTools.EXE

 

[MeB]

Thanks for the response Curtis but I'm unable to locate
the ALtools.exe link. As it stands the links results in
page cannot be displayed and if I delete the first
download in the URL, I get to the general download page.
Could you please recheck this link. I would very much like
to read the article. Thanks.
Meb

 

[Lloyd Newland]

Hi MeB

You can get a packaged version of the tools used to troubleshoot most
account lockout issue from a link inside the Account Lockout whitepaper.
(This is altools.exe)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/maintain/operate/BPACTLCK.asp

From your first posting it was not clear if the user was only logged on at
one machine or more than one machine at the same time. A suggested method
to change the password is to log off and back on to all machines after
changing the password for the user account. One of the largest causes of
locked out accounts is being logged on to multiple machines when a password
has been changed but not logging off and back on to refresh the credentials
used by the systems to access resources.

If you are considering service pack 4 in you domain you can eliminate most
lock out that occur this way by enabling the password history at a setting
of 2 saved passwords. The hotfix released as Q812499 which is included in
SP4 has the Windows 2003 capability to not allow access to an account that
uses a cached password but not increment the bad password count. This will
show as events 529 and 681 failures in the security log (Bad password
events) but the account will not lock out. This will allow users to change
their passwords and then log off and back onto the machines that have the
cached passwords without locking out their accounts.

Please respond directly to the newgroup so all members can learn from your
questions and answers.


Lloyd Newland, MCSE, MCSA

(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[MeB]

Just thought I'd share this with others. It appears the
problem was a few disconnected Terminal Services
connections. If users do not log out of TS and change
their passwords, the disconnected services keep attempting
to reconnect and end up locking out the account. Thanks to
an article I stumpled upon quite by accident on
techsecurity.com.