Account lockout, terminal services, not disconnected sessi..

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We have been dealing with account lockout issues for well over a year.

After much analysis this is what I have discovered.

I normally am terminal serviced into SERVER1 is a disconnected state,
running workstation scanning software.

My password expired today (Netware grace loggons, AD not expired yet.)

I Terminal serviced into SERVER1 and logged out.

I ran PSLOGGEDON and verified I was not logged in at any location other
than my desk.

I did CNTL ALT DEL and changed my password on the Active directory
(Mixed mode.) as well as the Netware NDS and our eDirectory tree.

I rebooted my PC, and logged back on. I verified my password synced
across the domain controllers.

I terminal serviced into SERVER1 with my new password.

I started running my software scan.

Immediately my account became disabled. The event logs on our AD
server from which I got locked out show this;

Service Ticket Request Failed:
User Name: USER
User Domain: DOMAIN.COM
Service Name: HOST/PC1234
Ticket Options: 0x40810010
Failure Code: 0x12
Client Address: 192.168.3.10


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

USER is my user ID. DOMAIN.COM is my Active Directory Domain. PC1234
is the workstation I was attempting to scan. 192.168.3.10 is the IP
address of the SERVER1 where I run my scanning software.

So this tells me that when I logged out of Terminal Services (Not
disconnected) and verified via PSLOGGEDON and Terminal Services Manager
(from another admins desk) that I was not on this server, Windows still
kept my old credentials.

Even after logging on with my new password, Microsoft Windows 2000
server still attempts to use the last USERID/PWD that I connected to
this PC1234 with. I actually had to reboot the server to get past this
issue.

This seems to be a security bug to me.

Are there any known articles on fixing this? Much searching, and I
have not found anything just like this -- only the issue with
disconnected sessions.

Edwin Davidson.
2 answers Last reply
More about account lockout terminal services disconnected sessi
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    edavid3001@gmail.com wrote:

    > We have been dealing with account lockout issues for well over a year.
    >
    > After much analysis this is what I have discovered.
    >
    > I normally am terminal serviced into SERVER1 is a disconnected state,
    > running workstation scanning software.
    >
    > My password expired today (Netware grace loggons, AD not expired yet.)
    >
    > I Terminal serviced into SERVER1 and logged out.
    >
    > I ran PSLOGGEDON and verified I was not logged in at any location other
    > than my desk.
    >
    > I did CNTL ALT DEL and changed my password on the Active directory
    > (Mixed mode.) as well as the Netware NDS and our eDirectory tree.
    >
    > I rebooted my PC, and logged back on. I verified my password synced
    > across the domain controllers.
    >
    > I terminal serviced into SERVER1 with my new password.
    >
    > I started running my software scan.
    >
    > Immediately my account became disabled. The event logs on our AD
    > server from which I got locked out show this;

    Is the account locked or disabled? there is a difference. If the account
    is being locked you may be out of licenses. Did you change your password
    AND have mapped drives using the old password?

    >
    >
    > Service Ticket Request Failed:
    > User Name: USER
    > User Domain: DOMAIN.COM
    > Service Name: HOST/PC1234
    > Ticket Options: 0x40810010
    > Failure Code: 0x12
    > Client Address: 192.168.3.10
    >
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    > USER is my user ID. DOMAIN.COM is my Active Directory Domain. PC1234
    > is the workstation I was attempting to scan. 192.168.3.10 is the IP
    > address of the SERVER1 where I run my scanning software.
    >
    > So this tells me that when I logged out of Terminal Services (Not
    > disconnected) and verified via PSLOGGEDON and Terminal Services Manager
    > (from another admins desk) that I was not on this server, Windows still
    > kept my old credentials.
    >
    > Even after logging on with my new password, Microsoft Windows 2000
    > server still attempts to use the last USERID/PWD that I connected to
    > this PC1234 with. I actually had to reboot the server to get past this
    > issue.
    >
    > This seems to be a security bug to me.
    >
    > Are there any known articles on fixing this? Much searching, and I
    > have not found anything just like this -- only the issue with
    > disconnected sessions.
    >
    > Edwin Davidson.
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    >>Is the account locked or disabled? there is a difference. If the
    account
    >>is being locked you may be out of licenses. Did you change your
    password
    >>AND have mapped drives using the old password?

    Both. The account is locked out on the Active Directory because the
    domain allows for only 3 password attempts before locking and disabling
    the account.

    We have more than plenty of licenses.

    Yes, there were mapped drives. But I have NET USE /PERSISTENT:NO on
    everything - all PC's and servers. Doubly verified on the ones in use.

    I have to map these drives each time I log in.

    And the resource in question that resulted in login failures using the
    old password was using the administrative shared via UNC, not mappings.
    Such as \\PCNAME\C$ as well as remote registry.

    Edwin Davidson.
Ask a new question

Read More

Terminal Connection Active Directory Windows