Account lockouts

[Toni Van Remortel]

Hi all,

Last Friday some user accounts started to get locked out. Meanwhile, every
few logon attempts, other accounts get locked out. Even the Administrator
account gets locked out, although it is never used to logon.

I scanned my network on spyware an virusses, but nothing reported (Panda
Business secure). Snort doesn't report any suspicious intrude attempts
either.

I can unlock the accounts every 10 minutes, but that ain't the solution.

I already demoted 1 domain controller that reported problems with its SAM
database (unable to write, lockout as result), but my remaining 2 domain
controllers don't report anything like that (except a WINS error on one
server).

Anybody a clue? I'm struggling with this for 6 days already, and I'm
getting tired of it.

Systems : all Windows 2000 Advanced Server

Regards,

 

[Jeremy Hallock]

http://www.microsoft.com/technet/pr...2003/technologies/security/bpactlck.mspx#ENAA
The article listed above is a very good troubleshooter. Account
lockouts can be very time consuming to track down, but by following the
troubleshooting steps in this article you should be able to find the
source of the lockouts.

First thing I would do is enable netlogon logging on your PDC Emulator
and then take a look at the logs and begin to narrow down from there
(pasted from the article referenced above):
"To enable Netlogon logging on computers that are running Windows 2000
Server, at a command prompt, type nltest /dbflag:2080ffff. The log file
is created in Systemroot\Debug\Netlogon.log. If the log file is not in
that location, stop and restart the Netlogon service on that computer.
To do this, at a command prompt, type net stop netlogon & net start
netlogon." (NLTest is part of the Support Tools on the Win2k CD)

The values you want to look for in the netlogon log are the following:
0xC000006A
The value provided as the current password is not correct
0xC0000234
The user account has been automatically locked

Again, the article listed above should guide you through parsing the
logs and interpreting what you see in the logs.

Account Lockout tools (link is also referenced from the article listed
above)
http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

This should be a good start to figuring out your lockout issues.

 

[Toni Van Remortel]

The article listed above is a very good troubleshooter.

Jeremy, thank you for the link to the troubleshooter, it was from some
help.

I currently found that account lockout occurs in this situation:

net use g: \\corbusier\users /user:OW_HA\remorto

The account 'remorto' is locked out after I press Enter. BadPwdCount is
set to 1 on the server Corbusier, other domain controllers (now 3 in
total) leave BadPwdCount on 0, but accept the user lockout.

When I use this command instead

net use g: \\corbusier\users /user:OW_HA\remorto *

I'm asked for a password immediately and the mapping is done without any
problem. No lockout or whatsoever.

Weird? For me it is.

Anyway, domain logons will be tested monday, but my test-account works
normally.

Regards,

 

[Toni Van Remortel]

Anyway, domain logons will be tested monday, but my test-account works
normally.

Damned. I start to hate this thing.
Today on only half an hour 5 accounts are locked out, including the
Administrator.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Damned. I start to hate this thing.
Today on only half an hour 5 accounts are locked out,
including the Administrator.

Check all of your machines for a scheduled task using an old password.
If you have scheduled tasks and the password changes you have to change the
password in the task properties. If you use scheduled tasks it is better to
set up a restricted account for the task with a non-expiring password.

 

[Toni Van Remortel]

In

Check all of your machines for a scheduled task using an old password.
If you have scheduled tasks and the password changes you have to change the
password in the task properties. If you use scheduled tasks it is better to
set up a restricted account for the task with a non-expiring password.

Aha, that's why it gets locked.
Thanks for the info. There are also a lot of the services that run with
Administrator rights (like anti-virus). I'll change them all.

 

[Toni Van Remortel]

Aha, that's why it gets locked.
Thanks for the info. There are also a lot of the services that run with
Administrator rights (like anti-virus). I'll change them all.

Found the solution.

Shut down the entire core network (servers and backbone) for 30 minutes.
(had to do this due to server cabinet re-organization).

Damn Windows.