Windows 2000 Active Directory Logout

[Bill Smith]

I have noticed the following behavior:
I am the network admin for a medium sized organization.
During my day I am logged on constantly to my Win 2000 Pro
machine as a Network Administrator. Once or twice a day I
will either be unable to access my Outlook email (via
Exchange 2000) or surf the Internet. In both cases I will
appear to have stopped being "logged on" (even though I
haven't logged off myself off the machine). Then I will
access my domain controller and find my username is locked
out. I uncheck the box and then I'm fine again.
I realize this could be a joke someone is playing on me,
but I've audited logins on both servers and clients to see
if this is what is happening and I see nothing of the
such. We have a logout group policy and my account is
grouped so that I am excluded from this policy. Any
ideas?

 

[Arild Bakken]

Have you changed your password recently? This is often the case if you have
a running session, or some service or scheduled task of some kind that is
setup with the old password.

Remember that the reason for an account being locked out is due to wrong
password... this is not something you can enable on an account through MMC,
but is handled by the system after several wrong password attempts.

And you should be seeing the wrong password attempt in the eventlog if you
are auditing logon failures. Remeber though that these events will be logged
in the eventlog on the computer that the logon was attempted from, and not
on the domain controller (unless that's where the user is trying to logon)


Arild

 

[Omko]

I have noticed the following behavior:
I am the network admin for a medium sized organization.
During my day I am logged on constantly to my Win 2000 Pro
machine as a Network Administrator. Once or twice a day I
will either be unable to access my Outlook email (via
Exchange 2000) or surf the Internet. In both cases I will
appear to have stopped being "logged on" (even though I
haven't logged off myself off the machine). Then I will
access my domain controller and find my username is locked
out. I uncheck the box and then I'm fine again.
I realize this could be a joke someone is playing on me,
but I've audited logins on both servers and clients to see
if this is what is happening and I see nothing of the
such. We have a logout group policy and my account is
grouped so that I am excluded from this policy. Any
ideas?

I have the exact same problem in my organisation. It happens because
users are loged on to multiple machines and then changes his password.
the other login sessions try to access a network resource with the old
password and the account locks up. this is expected behaviour.

but i have also found out about a other problem. perhaps a bug in
windows?
please read my post "file lock still active after user log's out"
which i just posted a few hours ago.
note: this only happens to workstation that have a uptime of about 30+
days

you can trace where your lock comes from by using eventcomb (download
here: http://www.microsoft.com/technet/tr...ch/windows/windows2000/staysecure/default.asp)
add your domain controllers to the search list. chose the build in
search "account lockout". input your login name in the box "text" en
browse trough the resulting log file to find which computer still has
a session open with your account.

Omko