Users in Win98 workstations having account locked in Activ..

marciotf

Distinguished
Apr 17, 2004
9
0
18,510
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

We just upgraded a Windows NT 4 domain to Active Directory. The client
computers are comprised of Windows 98, Windows 98 SE and Windows 2000 Pro
machines.
Exchnage 5.5 is installed in a Windows 2000 DC.

We are having the following problem, with the Windows 98 machines:
A lot of the users in the 98 workstations are getting their accounts locked
out (the account lockout police locks an account after 3 failed tries, cant
change this) randomly.

In the DC security logs, I get a lot of errors:

Source: Security
Category: Account Logon
Type: Failure
Event ID: 681
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
The logon to account: xxxxxxx
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: \\xxxxxxx
failed. The error code was: 3221226036

Source: Security
Category: Logon\Logoff
Type: Failure
Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: xxxxxxxx
Domain: DOMAIN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: \\xxxxxx

Source: Security
Category: Logon\Logoff
Type: Failure
Event ID: 539
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
Logon Failure:
Reason: Account locked out
User Name: xxxxxx
Domain: DOMAIN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: \\xxxxxx

Source: Security
Category: Account Management
Type: Success
Event ID: 642
User: Everyone
Computer: DC
Description:
User Account Changed:
Account Locked.
Target Account Name: vnd_bruno
Target Domain: BRAZIL
Target Account ID: BRAZIL\vnd_bruno
Caller User Name: DC02SRV$
Caller Domain: BRAZIL
Caller Logon ID: (0x0,0x3E7)
Privileges: -

Source: Security
Category: Account Management
Type: Success
Event ID: 644
User: Everyone
Computer: DC
Description:
User Account Locked Out:
Target Account Name: XXXXXX
Target Account ID: DOMAIN\XXXXXX
Caller Machine Name: \\XXXXXXX
Caller User Name: DC$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)

It appears as although the users use its right credentials, the accounts are
being locked by the system.

I have checked lots of things and already tried: installing and uninstalling
DSClient on the 98 workstations; allowed anything on the LAN Manager
Authentication Level in Security Options in the Domain Security Police;
edited the users account properties in Active Directory to check "Do not
require Kerberos preauthentication"; checked to make sure users were logging
in the domain and not in the Windows 98 workstation; but nothing worked so
far, accounts are still being locked out randomly.

Can anyone help me?

Thanks in advance.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

As a band-aid, you can change the lockout thresholds in:
Domain Security Policy | Windows Settings | Security Settings | Account
Policies | Account Lockout Policy

Fix the root of this, though. Don't just make the change and leave it like
that.

Viruses and Worms can hit your AD and try to break in using a brute force
attack. You will want to make sure that you are not seeing the system
protect itself from something like this by disabling the accounts. This is
pretty common in the more recent worms. Use your Antivirus program to do a
full sweep of all of your workstations.

I'd also be very concerned about the account management changes done by the
Everyone account, as listed by your appended account logs.

As an aside, I would suggest that you work to get rid of your 9x machines
and replace or upgrade them. Because of the complications and potential
problems, upgrade or attrition of 9x machines should be considered part of
the cost of a migration to 2k/2k3 server. Generally if an organization
can't afford the workstation upgrade, they can't afford the manpower and
downtime that will come with supporting the 9x machines on the new network.
(IMHO)
--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"marciotf" <marciotf@discussions.microsoft.com> wrote in message
news:BE5508A9-B6BA-4988-AFC0-F0059D1D7BD1@microsoft.com...
> Hi,
>
> We just upgraded a Windows NT 4 domain to Active Directory. The client
> computers are comprised of Windows 98, Windows 98 SE and Windows 2000 Pro
> machines.
> Exchnage 5.5 is installed in a Windows 2000 DC.
>
> We are having the following problem, with the Windows 98 machines:
> A lot of the users in the 98 workstations are getting their accounts
locked
> out (the account lockout police locks an account after 3 failed tries,
cant
> change this) randomly.
>
> In the DC security logs, I get a lot of errors:
>
> Source: Security
> Category: Account Logon
> Type: Failure
> Event ID: 681
> User: NT AUTHORITY\SYSTEM
> Computer: DC
> Description:
> The logon to account: xxxxxxx
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: \\xxxxxxx
> failed. The error code was: 3221226036
>
> Source: Security
> Category: Logon\Logoff
> Type: Failure
> Event ID: 529
> User: NT AUTHORITY\SYSTEM
> Computer: DC
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: xxxxxxxx
> Domain: DOMAIN
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: \\xxxxxx
>
> Source: Security
> Category: Logon\Logoff
> Type: Failure
> Event ID: 539
> User: NT AUTHORITY\SYSTEM
> Computer: DC
> Description:
> Logon Failure:
> Reason: Account locked out
> User Name: xxxxxx
> Domain: DOMAIN
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: \\xxxxxx
>
> Source: Security
> Category: Account Management
> Type: Success
> Event ID: 642
> User: Everyone
> Computer: DC
> Description:
> User Account Changed:
> Account Locked.
> Target Account Name: vnd_bruno
> Target Domain: BRAZIL
> Target Account ID: BRAZIL\vnd_bruno
> Caller User Name: DC02SRV$
> Caller Domain: BRAZIL
> Caller Logon ID: (0x0,0x3E7)
> Privileges: -
>
> Source: Security
> Category: Account Management
> Type: Success
> Event ID: 644
> User: Everyone
> Computer: DC
> Description:
> User Account Locked Out:
> Target Account Name: XXXXXX
> Target Account ID: DOMAIN\XXXXXX
> Caller Machine Name: \\XXXXXXX
> Caller User Name: DC$
> Caller Domain: DOMAIN
> Caller Logon ID: (0x0,0x3E7)
>
> It appears as although the users use its right credentials, the accounts
are
> being locked by the system.
>
> I have checked lots of things and already tried: installing and
uninstalling
> DSClient on the 98 workstations; allowed anything on the LAN Manager
> Authentication Level in Security Options in the Domain Security Police;
> edited the users account properties in Active Directory to check "Do not
> require Kerberos preauthentication"; checked to make sure users were
logging
> in the domain and not in the Windows 98 workstation; but nothing worked so
> far, accounts are still being locked out randomly.
>
> Can anyone help me?
>
> Thanks in advance.
 

marciotf

Distinguished
Apr 17, 2004
9
0
18,510
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Ryan,
This is not a virus/worm problem, I have scanned all machines using multiple
antivirus software.
I cant change the lockout threshold.
As I said it is a problem related to the Windows 98 machines authenticating
in the AD domain, it appears that the Windows 98 sends wrong credentias to
the Domain Controllers when the users logged try to access a file share in
the Domain Controllers.

"Ryan Hanisco" wrote:

> Hi,
>
> As a band-aid, you can change the lockout thresholds in:
> Domain Security Policy | Windows Settings | Security Settings | Account
> Policies | Account Lockout Policy
>
> Fix the root of this, though. Don't just make the change and leave it like
> that.
>
> Viruses and Worms can hit your AD and try to break in using a brute force
> attack. You will want to make sure that you are not seeing the system
> protect itself from something like this by disabling the accounts. This is
> pretty common in the more recent worms. Use your Antivirus program to do a
> full sweep of all of your workstations.
>
> I'd also be very concerned about the account management changes done by the
> Everyone account, as listed by your appended account logs.
>
> As an aside, I would suggest that you work to get rid of your 9x machines
> and replace or upgrade them. Because of the complications and potential
> problems, upgrade or attrition of 9x machines should be considered part of
> the cost of a migration to 2k/2k3 server. Generally if an organization
> can't afford the workstation upgrade, they can't afford the manpower and
> downtime that will come with supporting the 9x machines on the new network.
> (IMHO)
> --
> Ryan Hanisco
> MCSE, MCDBA
> Flagship Integration Services
>
> "marciotf" <marciotf@discussions.microsoft.com> wrote in message
> news:BE5508A9-B6BA-4988-AFC0-F0059D1D7BD1@microsoft.com...
> > Hi,
> >
> > We just upgraded a Windows NT 4 domain to Active Directory. The client
> > computers are comprised of Windows 98, Windows 98 SE and Windows 2000 Pro
> > machines.
> > Exchnage 5.5 is installed in a Windows 2000 DC.
> >
> > We are having the following problem, with the Windows 98 machines:
> > A lot of the users in the 98 workstations are getting their accounts
> locked
> > out (the account lockout police locks an account after 3 failed tries,
> cant
> > change this) randomly.
> >
> > In the DC security logs, I get a lot of errors:
> >
> > Source: Security
> > Category: Account Logon
> > Type: Failure
> > Event ID: 681
> > User: NT AUTHORITY\SYSTEM
> > Computer: DC
> > Description:
> > The logon to account: xxxxxxx
> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > from workstation: \\xxxxxxx
> > failed. The error code was: 3221226036
> >
> > Source: Security
> > Category: Logon\Logoff
> > Type: Failure
> > Event ID: 529
> > User: NT AUTHORITY\SYSTEM
> > Computer: DC
> > Description:
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: xxxxxxxx
> > Domain: DOMAIN
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: \\xxxxxx
> >
> > Source: Security
> > Category: Logon\Logoff
> > Type: Failure
> > Event ID: 539
> > User: NT AUTHORITY\SYSTEM
> > Computer: DC
> > Description:
> > Logon Failure:
> > Reason: Account locked out
> > User Name: xxxxxx
> > Domain: DOMAIN
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: \\xxxxxx
> >
> > Source: Security
> > Category: Account Management
> > Type: Success
> > Event ID: 642
> > User: Everyone
> > Computer: DC
> > Description:
> > User Account Changed:
> > Account Locked.
> > Target Account Name: vnd_bruno
> > Target Domain: BRAZIL
> > Target Account ID: BRAZIL\vnd_bruno
> > Caller User Name: DC02SRV$
> > Caller Domain: BRAZIL
> > Caller Logon ID: (0x0,0x3E7)
> > Privileges: -
> >
> > Source: Security
> > Category: Account Management
> > Type: Success
> > Event ID: 644
> > User: Everyone
> > Computer: DC
> > Description:
> > User Account Locked Out:
> > Target Account Name: XXXXXX
> > Target Account ID: DOMAIN\XXXXXX
> > Caller Machine Name: \\XXXXXXX
> > Caller User Name: DC$
> > Caller Domain: DOMAIN
> > Caller Logon ID: (0x0,0x3E7)
> >
> > It appears as although the users use its right credentials, the accounts
> are
> > being locked by the system.
> >
> > I have checked lots of things and already tried: installing and
> uninstalling
> > DSClient on the 98 workstations; allowed anything on the LAN Manager
> > Authentication Level in Security Options in the Domain Security Police;
> > edited the users account properties in Active Directory to check "Do not
> > require Kerberos preauthentication"; checked to make sure users were
> logging
> > in the domain and not in the Windows 98 workstation; but nothing worked so
> > far, accounts are still being locked out randomly.
> >
> > Can anyone help me?
> >
> > Thanks in advance.
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

hmm...

Looking at the event log excerpt you posted:

-- The first one is a denial because the account is already locked out.
-- The second is a standard bad username or password (lots of possible
sources)
-- The third is a normal lockout
-- The fourth is an explicit lockout of an account, but is being logged as a
generic account change. This was fixed in SP4, per KB 314444 -- but that is
just the reporting, not the cause.
-- The rest are lockouts (KB 814511) in the normal course of things.

The point is that you are right in that the system is locking the accounts
and there is nothing screwy with that process going on. It really does look
as though there is an issue with "something" whether it be the ds client, a
service, or a virus attempting to log on to accounts over and over causing
them to lock.

Considering the value of your time and the impact to the end users, this
seems like the time to open a case with MS. It'll be worth the money if it
gets resolved quickly, and you did your basic research so you're not acting
capriciously.

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"marciotf" <marciotf@discussions.microsoft.com> wrote in message
news:6350C303-ACF3-4F29-857C-317175624E53@microsoft.com...
> Hi Ryan,
> This is not a virus/worm problem, I have scanned all machines using
multiple
> antivirus software.
> I cant change the lockout threshold.
> As I said it is a problem related to the Windows 98 machines
authenticating
> in the AD domain, it appears that the Windows 98 sends wrong credentias to
> the Domain Controllers when the users logged try to access a file share in
> the Domain Controllers.
>
> "Ryan Hanisco" wrote:
>
> > Hi,
> >
> > As a band-aid, you can change the lockout thresholds in:
> > Domain Security Policy | Windows Settings | Security Settings | Account
> > Policies | Account Lockout Policy
> >
> > Fix the root of this, though. Don't just make the change and leave it
like
> > that.
> >
> > Viruses and Worms can hit your AD and try to break in using a brute
force
> > attack. You will want to make sure that you are not seeing the system
> > protect itself from something like this by disabling the accounts. This
is
> > pretty common in the more recent worms. Use your Antivirus program to
do a
> > full sweep of all of your workstations.
> >
> > I'd also be very concerned about the account management changes done by
the
> > Everyone account, as listed by your appended account logs.
> >
> > As an aside, I would suggest that you work to get rid of your 9x
machines
> > and replace or upgrade them. Because of the complications and potential
> > problems, upgrade or attrition of 9x machines should be considered part
of
> > the cost of a migration to 2k/2k3 server. Generally if an organization
> > can't afford the workstation upgrade, they can't afford the manpower and
> > downtime that will come with supporting the 9x machines on the new
network.
> > (IMHO)
> > --
> > Ryan Hanisco
> > MCSE, MCDBA
> > Flagship Integration Services
> >
> > "marciotf" <marciotf@discussions.microsoft.com> wrote in message
> > news:BE5508A9-B6BA-4988-AFC0-F0059D1D7BD1@microsoft.com...
> > > Hi,
> > >
> > > We just upgraded a Windows NT 4 domain to Active Directory. The client
> > > computers are comprised of Windows 98, Windows 98 SE and Windows 2000
Pro
> > > machines.
> > > Exchnage 5.5 is installed in a Windows 2000 DC.
> > >
> > > We are having the following problem, with the Windows 98 machines:
> > > A lot of the users in the 98 workstations are getting their accounts
> > locked
> > > out (the account lockout police locks an account after 3 failed tries,
> > cant
> > > change this) randomly.
> > >
> > > In the DC security logs, I get a lot of errors:
> > >
> > > Source: Security
> > > Category: Account Logon
> > > Type: Failure
> > > Event ID: 681
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: DC
> > > Description:
> > > The logon to account: xxxxxxx
> > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > > from workstation: \\xxxxxxx
> > > failed. The error code was: 3221226036
> > >
> > > Source: Security
> > > Category: Logon\Logoff
> > > Type: Failure
> > > Event ID: 529
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: DC
> > > Description:
> > > Logon Failure:
> > > Reason: Unknown user name or bad password
> > > User Name: xxxxxxxx
> > > Domain: DOMAIN
> > > Logon Type: 3
> > > Logon Process: NtLmSsp
> > > Authentication Package: NTLM
> > > Workstation Name: \\xxxxxx
> > >
> > > Source: Security
> > > Category: Logon\Logoff
> > > Type: Failure
> > > Event ID: 539
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: DC
> > > Description:
> > > Logon Failure:
> > > Reason: Account locked out
> > > User Name: xxxxxx
> > > Domain: DOMAIN
> > > Logon Type: 3
> > > Logon Process: NtLmSsp
> > > Authentication Package: NTLM
> > > Workstation Name: \\xxxxxx
> > >
> > > Source: Security
> > > Category: Account Management
> > > Type: Success
> > > Event ID: 642
> > > User: Everyone
> > > Computer: DC
> > > Description:
> > > User Account Changed:
> > > Account Locked.
> > > Target Account Name: vnd_bruno
> > > Target Domain: BRAZIL
> > > Target Account ID: BRAZIL\vnd_bruno
> > > Caller User Name: DC02SRV$
> > > Caller Domain: BRAZIL
> > > Caller Logon ID: (0x0,0x3E7)
> > > Privileges: -
> > >
> > > Source: Security
> > > Category: Account Management
> > > Type: Success
> > > Event ID: 644
> > > User: Everyone
> > > Computer: DC
> > > Description:
> > > User Account Locked Out:
> > > Target Account Name: XXXXXX
> > > Target Account ID: DOMAIN\XXXXXX
> > > Caller Machine Name: \\XXXXXXX
> > > Caller User Name: DC$
> > > Caller Domain: DOMAIN
> > > Caller Logon ID: (0x0,0x3E7)
> > >
> > > It appears as although the users use its right credentials, the
accounts
> > are
> > > being locked by the system.
> > >
> > > I have checked lots of things and already tried: installing and
> > uninstalling
> > > DSClient on the 98 workstations; allowed anything on the LAN Manager
> > > Authentication Level in Security Options in the Domain Security
Police;
> > > edited the users account properties in Active Directory to check "Do
not
> > > require Kerberos preauthentication"; checked to make sure users were
> > logging
> > > in the domain and not in the Windows 98 workstation; but nothing
worked so
> > > far, accounts are still being locked out randomly.
> > >
> > > Can anyone help me?
> > >
> > > Thanks in advance.
> >
> >
> >
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Also, take a look at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;317796
http://support.microsoft.com/default.aspx?scid=kb;en-us;271496

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"marciotf" <marciotf@discussions.microsoft.com> wrote in message
news:6350C303-ACF3-4F29-857C-317175624E53@microsoft.com...
> Hi Ryan,
> This is not a virus/worm problem, I have scanned all machines using
multiple
> antivirus software.
> I cant change the lockout threshold.
> As I said it is a problem related to the Windows 98 machines
authenticating
> in the AD domain, it appears that the Windows 98 sends wrong credentias to
> the Domain Controllers when the users logged try to access a file share in
> the Domain Controllers.
>
> "Ryan Hanisco" wrote:
>
> > Hi,
> >
> > As a band-aid, you can change the lockout thresholds in:
> > Domain Security Policy | Windows Settings | Security Settings | Account
> > Policies | Account Lockout Policy
> >
> > Fix the root of this, though. Don't just make the change and leave it
like
> > that.
> >
> > Viruses and Worms can hit your AD and try to break in using a brute
force
> > attack. You will want to make sure that you are not seeing the system
> > protect itself from something like this by disabling the accounts. This
is
> > pretty common in the more recent worms. Use your Antivirus program to
do a
> > full sweep of all of your workstations.
> >
> > I'd also be very concerned about the account management changes done by
the
> > Everyone account, as listed by your appended account logs.
> >
> > As an aside, I would suggest that you work to get rid of your 9x
machines
> > and replace or upgrade them. Because of the complications and potential
> > problems, upgrade or attrition of 9x machines should be considered part
of
> > the cost of a migration to 2k/2k3 server. Generally if an organization
> > can't afford the workstation upgrade, they can't afford the manpower and
> > downtime that will come with supporting the 9x machines on the new
network.
> > (IMHO)
> > --
> > Ryan Hanisco
> > MCSE, MCDBA
> > Flagship Integration Services
> >
> > "marciotf" <marciotf@discussions.microsoft.com> wrote in message
> > news:BE5508A9-B6BA-4988-AFC0-F0059D1D7BD1@microsoft.com...
> > > Hi,
> > >
> > > We just upgraded a Windows NT 4 domain to Active Directory. The client
> > > computers are comprised of Windows 98, Windows 98 SE and Windows 2000
Pro
> > > machines.
> > > Exchnage 5.5 is installed in a Windows 2000 DC.
> > >
> > > We are having the following problem, with the Windows 98 machines:
> > > A lot of the users in the 98 workstations are getting their accounts
> > locked
> > > out (the account lockout police locks an account after 3 failed tries,
> > cant
> > > change this) randomly.
> > >
> > > In the DC security logs, I get a lot of errors:
> > >
> > > Source: Security
> > > Category: Account Logon
> > > Type: Failure
> > > Event ID: 681
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: DC
> > > Description:
> > > The logon to account: xxxxxxx
> > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > > from workstation: \\xxxxxxx
> > > failed. The error code was: 3221226036
> > >
> > > Source: Security
> > > Category: Logon\Logoff
> > > Type: Failure
> > > Event ID: 529
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: DC
> > > Description:
> > > Logon Failure:
> > > Reason: Unknown user name or bad password
> > > User Name: xxxxxxxx
> > > Domain: DOMAIN
> > > Logon Type: 3
> > > Logon Process: NtLmSsp
> > > Authentication Package: NTLM
> > > Workstation Name: \\xxxxxx
> > >
> > > Source: Security
> > > Category: Logon\Logoff
> > > Type: Failure
> > > Event ID: 539
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: DC
> > > Description:
> > > Logon Failure:
> > > Reason: Account locked out
> > > User Name: xxxxxx
> > > Domain: DOMAIN
> > > Logon Type: 3
> > > Logon Process: NtLmSsp
> > > Authentication Package: NTLM
> > > Workstation Name: \\xxxxxx
> > >
> > > Source: Security
> > > Category: Account Management
> > > Type: Success
> > > Event ID: 642
> > > User: Everyone
> > > Computer: DC
> > > Description:
> > > User Account Changed:
> > > Account Locked.
> > > Target Account Name: vnd_bruno
> > > Target Domain: BRAZIL
> > > Target Account ID: BRAZIL\vnd_bruno
> > > Caller User Name: DC02SRV$
> > > Caller Domain: BRAZIL
> > > Caller Logon ID: (0x0,0x3E7)
> > > Privileges: -
> > >
> > > Source: Security
> > > Category: Account Management
> > > Type: Success
> > > Event ID: 644
> > > User: Everyone
> > > Computer: DC
> > > Description:
> > > User Account Locked Out:
> > > Target Account Name: XXXXXX
> > > Target Account ID: DOMAIN\XXXXXX
> > > Caller Machine Name: \\XXXXXXX
> > > Caller User Name: DC$
> > > Caller Domain: DOMAIN
> > > Caller Logon ID: (0x0,0x3E7)
> > >
> > > It appears as although the users use its right credentials, the
accounts
> > are
> > > being locked by the system.
> > >
> > > I have checked lots of things and already tried: installing and
> > uninstalling
> > > DSClient on the 98 workstations; allowed anything on the LAN Manager
> > > Authentication Level in Security Options in the Domain Security
Police;
> > > edited the users account properties in Active Directory to check "Do
not
> > > require Kerberos preauthentication"; checked to make sure users were
> > logging
> > > in the domain and not in the Windows 98 workstation; but nothing
worked so
> > > far, accounts are still being locked out randomly.
> > >
> > > Can anyone help me?
> > >
> > > Thanks in advance.
> >
> >
> >
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Ryan Hanisco" wrote:
> Also, take a look at:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;317796
> http://support.microsoft.com/default.aspx?scid=kb;en-us;271496
>
> --
> Ryan Hanisco
> MCSE, MCDBA
> Flagship Integration Services
>
> "marciotf" <marciotf@discussions.microsoft.com> wrote in
> message
> news:6350C303-ACF3-4F29-857C-317175624E53@microsoft.com...
> > Hi Ryan,
> > This is not a virus/worm problem, I have scanned all
> machines using
> multiple
> > antivirus software.
> > I cant change the lockout threshold.
> > As I said it is a problem related to the Windows 98 machines
> authenticating
> > in the AD domain, it appears that the Windows 98 sends wrong
> credentias to
> > the Domain Controllers when the users logged try to access a
> file share in
> > the Domain Controllers.
> >
> > "Ryan Hanisco" wrote:
> >
>  > > Hi,
>  > >
>  > > As a band-aid, you can change the lockout thresholds
> in:
>  > > Domain Security Policy | Windows Settings | Security
> Settings | Account
>  > > Policies | Account Lockout Policy
>  > >
>  > > Fix the root of this, though. Don't just make the
> change and leave it
> like
>  > > that.
>  > >
>  > > Viruses and Worms can hit your AD and try to break
> in using a brute
> force
>  > > attack. You will want to make sure that you are not
> seeing the system
>  > > protect itself from something like this by disabling
> the accounts. This
> is
>  > > pretty common in the more recent worms. Use your
> Antivirus program to
> do a
>  > > full sweep of all of your workstations.
>  > >
>  > > I'd also be very concerned about the account
> management changes done by
> the
>  > > Everyone account, as listed by your appended account
> logs.
>  > >
>  > > As an aside, I would suggest that you work to get
> rid of your 9x
> machines
>  > > and replace or upgrade them. Because of the
> complications and potential
>  > > problems, upgrade or attrition of 9x machines should
> be considered part
> of
>  > > the cost of a migration to 2k/2k3 server. Generally
> if an organization
>  > > can't afford the workstation upgrade, they can't
> afford the manpower and
>  > > downtime that will come with supporting the 9x
> machines on the new
> network.
>  > > (IMHO)
>  > > --
>  > > Ryan Hanisco
>  > > MCSE, MCDBA
>  > > Flagship Integration Services
>  > >
>  > > "marciotf"
> <marciotf@discussions.microsoft.com> wrote in message
>  > >
> news:BE5508A9-B6BA-4988-AFC0-F0059D1D7BD1@microsoft.com...
>   > > > Hi,
>   > > >
>   > > > We just upgraded a Windows NT 4 domain to
> Active Directory. The client
>   > > > computers are comprised of Windows 98,
> Windows 98 SE and Windows 2000
> Pro
>   > > > machines.
>   > > > Exchnage 5.5 is installed in a Windows 2000
> DC.
>   > > >
>   > > > We are having the following problem, with
> the Windows 98 machines:
>   > > > A lot of the users in the 98 workstations
> are getting their accounts
>  > > locked
>   > > > out (the account lockout police locks an
> account after 3 failed tries,
>  > > cant
>   > > > change this) randomly.
>   > > >
>   > > > In the DC security logs, I get a lot of
> errors:
>   > > >
>   > > > Source: Security
>   > > > Category: Account Logon
>   > > > Type: Failure
>   > > > Event ID: 681
>   > > > User: NT AUTHORITYSYSTEM
>   > > > Computer: DC
>   > > > Description:
>   > > > The logon to account: xxxxxxx
>   > > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>   > > > from workstation: \xxxxxxx
>   > > > failed. The error code was: 3221226036
>   > > >
>   > > > Source: Security
>   > > > Category: LogonLogoff
>   > > > Type: Failure
>   > > > Event ID: 529
>   > > > User: NT AUTHORITYSYSTEM
>   > > > Computer: DC
>   > > > Description:
>   > > > Logon Failure:
>   > > > Reason: Unknown user name or
> bad password
>   > > > User Name: xxxxxxxx
>   > > > Domain: DOMAIN
>   > > > Logon Type: 3
>   > > > Logon Process: NtLmSsp
>   > > > Authentication Package: NTLM
>   > > > Workstation Name: \xxxxxx
>   > > >
>   > > > Source: Security
>   > > > Category: LogonLogoff
>   > > > Type: Failure
>   > > > Event ID: 539
>   > > > User: NT AUTHORITYSYSTEM
>   > > > Computer: DC
>   > > > Description:
>   > > > Logon Failure:
>   > > > Reason: Account locked out
>   > > > User Name: xxxxxx
>   > > > Domain: DOMAIN
>   > > > Logon Type: 3
>   > > > Logon Process: NtLmSsp
>   > > > Authentication Package: NTLM
>   > > > Workstation Name: \xxxxxx
>   > > >
>   > > > Source: Security
>   > > > Category: Account Management
>   > > > Type: Success
>   > > > Event ID: 642
>   > > > User: Everyone
>   > > > Computer: DC
>   > > > Description:
>   > > > User Account Changed:
>   > > > Account Locked.
>   > > > Target Account Name: vnd_bruno
>   > > > Target Domain: BRAZIL
>   > > > Target Account ID:
> BRAZILvnd_bruno
>   > > > Caller User Name: DC02SRV$
>   > > > Caller Domain: BRAZIL
>   > > > Caller Logon ID: (0x0,0x3E7)
>   > > > Privileges: -
>   > > >
>   > > > Source: Security
>   > > > Category: Account Management
>   > > > Type: Success
>   > > > Event ID: 644
>   > > > User: Everyone
>   > > > Computer: DC
>   > > > Description:
>   > > > User Account Locked Out:
>   > > > Target Account Name: XXXXXX
>   > > > Target Account ID: DOMAINXXXXXX
>   > > > Caller Machine Name: \XXXXXXX
>   > > > Caller User Name: DC$
>   > > > Caller Domain: DOMAIN
>   > > > Caller Logon ID: (0x0,0x3E7)
>   > > >
>   > > > It appears as although the users use its
> right credentials, the
> accounts
>  > > are
>   > > > being locked by the system.
>   > > >
>   > > > I have checked lots of things and already
> tried: installing and
>  > > uninstalling
>   > > > DSClient on the 98 workstations; allowed
> anything on the LAN Manager
>   > > > Authentication Level in Security Options in
> the Domain Security
> Police;
>   > > > edited the users account properties in
> Active Directory to check "Do
> not
>   > > > require Kerberos preauthentication"; checked
> to make sure users were
>  > > logging
>   > > > in the domain and not in the Windows 98
> workstation; but nothing
> worked so
>   > > > far, accounts are still being locked out
> randomly.
>   > > >
>   > > > Can anyone help me?
>   > > >
>   > > > Thanks in advance.
>  > >
>  > >
>  > >

Hi,

First of all. Make sure you install the Active Directory Client on the
Windows 9x boxes. It is on the Windows 2000 Server CD Rom.

Second of all. Configure DHCP to automatically register non-dynamic
clients in DNS. Right click DHCP Domain - properties - dns tab

Third of all - Install a WINS Server. This is essential to non NT
clients.

Go to your DNS server and make sure all the Win 9x clients are there
with the correct ip.

That is a start.

Cheers,

Lara

--
http://www.WindowsForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Users-Win98-workstations-account-locked-Direct-ftopict243660.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=742530