NT4 Domain account locks when using 2K term Services

  • Thread starter Thread starter Adrian Lavery
  • Start date Start date
A

Adrian Lavery

I have set up our MD to connect to a Win2K term server so that he can access
our NT4 domain remotely from home via Cisco VPN client. It has worked well
for around six months but recently in the last month or so his domain
account locks out each time he tries to log on to terminal services. I have
only been made aware of this recently and the log files on the PDC only last
for a day or two due to size. I have modified them so they don't log as
much data and so should get a bit longer over the next week or so. We have
a fairly strict password policy that locks the account after three failed
password attempts.
What specifically should I be logging on the PDC to try to narrow this
down? Will this also pick up failed logon attempts from the BDC's? I
realise that it may be someone trying to log on to his account. Will the
logs show this? We have a number of other users on term services and they
don't have this problem. Any help would be greatly appreciated as having
the MD's account locking out all the time does not bode well.

Adrian
 
Hi Adrian,

First, I think you can try to test whether the client can logon the domain
in the local network directly. If yes, the problem is caused by the VPN.
The password is changed through the VPN to unknown code that is denied by
the server. This can cause the account lock out.

If the client still can't access the domain, let's try to reset the account
password on the server. Try to logon again and see whether this works.

After we reset the password on the PDC, the change will be replicated to
the BDC servers. You can force the PDC and BDC servers to replicated
immediately in the Server Manager.

If someone is trying to logon on the domain with his account, you can
enable the successful and failure logon on the PDC. Then, check the failure
logon in the event log. If you found some error logs are not created by the
user, it must be caused by somebody is trying to access the network
invalid.

Please also check the client whether the user account is set as the service
account for some service. If yes, check the password. If the user has
changed the password, the password for the service account will not be
changed automatically. When the service starts, it will generate the
failure logon. This also will cause the account lock out. Please reset the
password with the latest one.

To enable the logon audit on the PDC/BDC:

Open User Manager, then click Policies on menu bar, then click Auditing and
enable Logon and Logoff-failures and User and Group Management -success

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.
 
Back
Top