Account lockouts

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi all,

Last Friday some user accounts started to get locked out. Meanwhile, every
few logon attempts, other accounts get locked out. Even the Administrator
account gets locked out, although it is never used to logon.

I scanned my network on spyware an virusses, but nothing reported (Panda
Business secure). Snort doesn't report any suspicious intrude attempts
either.

I can unlock the accounts every 10 minutes, but that ain't the solution.

I already demoted 1 domain controller that reported problems with its SAM
database (unable to write, lockout as result), but my remaining 2 domain
controllers don't report anything like that (except a WINS error on one
server).

Anybody a clue? I'm struggling with this for 6 days already, and I'm
getting tired of it.

Systems : all Windows 2000 Advanced Server

Regards,
--
Toni Van Remortel
Netwerkbeheerder HA Dept. Ontwerpwetenschappen
5 answers Last reply
More about account lockouts
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx#ENAA
    The article listed above is a very good troubleshooter. Account
    lockouts can be very time consuming to track down, but by following the
    troubleshooting steps in this article you should be able to find the
    source of the lockouts.

    First thing I would do is enable netlogon logging on your PDC Emulator
    and then take a look at the logs and begin to narrow down from there
    (pasted from the article referenced above):
    "To enable Netlogon logging on computers that are running Windows 2000
    Server, at a command prompt, type nltest /dbflag:2080ffff. The log file
    is created in Systemroot\Debug\Netlogon.log. If the log file is not in
    that location, stop and restart the Netlogon service on that computer.
    To do this, at a command prompt, type net stop netlogon & net start
    netlogon." (NLTest is part of the Support Tools on the Win2k CD)

    The values you want to look for in the netlogon log are the following:
    0xC000006A
    The value provided as the current password is not correct
    0xC0000234
    The user account has been automatically locked

    Again, the article listed above should guide you through parsing the
    logs and interpreting what you see in the logs.

    Account Lockout tools (link is also referenced from the article listed
    above)
    http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

    This should be a good start to figuring out your lockout issues.

    Toni Van Remortel wrote:
    > Hi all,
    >
    > Last Friday some user accounts started to get locked out. Meanwhile, every
    > few logon attempts, other accounts get locked out. Even the Administrator
    > account gets locked out, although it is never used to logon.
    >
    > I scanned my network on spyware an virusses, but nothing reported (Panda
    > Business secure). Snort doesn't report any suspicious intrude attempts
    > either.
    >
    > I can unlock the accounts every 10 minutes, but that ain't the solution.
    >
    > I already demoted 1 domain controller that reported problems with its SAM
    > database (unable to write, lockout as result), but my remaining 2 domain
    > controllers don't report anything like that (except a WINS error on one
    > server).
    >
    > Anybody a clue? I'm struggling with this for 6 days already, and I'm
    > getting tired of it.
    >
    > Systems : all Windows 2000 Advanced Server
    >
    > Regards,
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    On Wed, 09 Mar 2005 10:17:38 -0600, Jeremy Hallock wrote:

    > The article listed above is a very good troubleshooter.

    Jeremy, thank you for the link to the troubleshooter, it was from some
    help.

    I currently found that account lockout occurs in this situation:

    net use g: \\corbusier\users /user:OW_HA\remorto

    The account 'remorto' is locked out after I press Enter. BadPwdCount is
    set to 1 on the server Corbusier, other domain controllers (now 3 in
    total) leave BadPwdCount on 0, but accept the user lockout.

    When I use this command instead

    net use g: \\corbusier\users /user:OW_HA\remorto *

    I'm asked for a password immediately and the mapping is done without any
    problem. No lockout or whatsoever.

    Weird? For me it is.

    Anyway, domain logons will be tested monday, but my test-account works
    normally.

    Regards,
    --
    Toni Van Remortel
    Netwerkbeheerder HA Dept. Ontwerpwetenschappen
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    On Sat, 12 Mar 2005 14:37:43 +0100, Toni Van Remortel wrote:

    > Anyway, domain logons will be tested monday, but my test-account works
    > normally.

    Damned. I start to hate this thing.
    Today on only half an hour 5 accounts are locked out, including the
    Administrator.

    --
    Toni Van Remortel
    Netwerkbeheerder HA Dept. Ontwerpwetenschappen
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    In news:pan.2005.03.14.08.00.31.501601@VERWIJDEREN.ha.be,
    Toni Van Remortel <t.vanremortel@VERWIJDEREN.ha.be> commented
    Then Kevin replied below:
    > On Sat, 12 Mar 2005 14:37:43 +0100, Toni Van Remortel
    > wrote:
    >
    >> Anyway, domain logons will be tested monday, but my
    >> test-account works normally.
    >
    > Damned. I start to hate this thing.
    > Today on only half an hour 5 accounts are locked out,
    > including the Administrator.

    Check all of your machines for a scheduled task using an old password.
    If you have scheduled tasks and the password changes you have to change the
    password in the task properties. If you use scheduled tasks it is better to
    set up a restricted account for the task with a non-expiring password.

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    On Mon, 14 Mar 2005 11:14:29 -0600, Kevin D. Goodknecht Sr. [MVP] wrote:

    > In news:pan.2005.03.14.08.00.31.501601@VERWIJDEREN.ha.be,
    > Toni Van Remortel <t.vanremortel@VERWIJDEREN.ha.be> commented
    > Then Kevin replied below:
    >> On Sat, 12 Mar 2005 14:37:43 +0100, Toni Van Remortel
    >> wrote:
    >>
    >>> Anyway, domain logons will be tested monday, but my
    >>> test-account works normally.
    >>
    >> Damned. I start to hate this thing.
    >> Today on only half an hour 5 accounts are locked out,
    >> including the Administrator.
    >
    > Check all of your machines for a scheduled task using an old password.
    > If you have scheduled tasks and the password changes you have to change the
    > password in the task properties. If you use scheduled tasks it is better to
    > set up a restricted account for the task with a non-expiring password.

    Aha, that's why it gets locked.
    Thanks for the info. There are also a lot of the services that run with
    Administrator rights (like anti-virus). I'll change them all.

    --
    Toni Van Remortel
    Netwerkbeheerder HA Dept. Ontwerpwetenschappen
Ask a new question

Read More

Active Directory Windows