Sign in with
Sign up | Sign in
Your question

Account lockout, terminal services, not disconnected sessi..

Tags:
  • Terminal
  • Connection
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
April 7, 2005 11:53:30 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We have been dealing with account lockout issues for well over a year.

After much analysis this is what I have discovered.

I normally am terminal serviced into SERVER1 is a disconnected state,
running workstation scanning software.

My password expired today (Netware grace loggons, AD not expired yet.)

I Terminal serviced into SERVER1 and logged out.

I ran PSLOGGEDON and verified I was not logged in at any location other
than my desk.

I did CNTL ALT DEL and changed my password on the Active directory
(Mixed mode.) as well as the Netware NDS and our eDirectory tree.

I rebooted my PC, and logged back on. I verified my password synced
across the domain controllers.

I terminal serviced into SERVER1 with my new password.

I started running my software scan.

Immediately my account became disabled. The event logs on our AD
server from which I got locked out show this;

Service Ticket Request Failed:
User Name: USER
User Domain: DOMAIN.COM
Service Name: HOST/PC1234
Ticket Options: 0x40810010
Failure Code: 0x12
Client Address: 192.168.3.10


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

USER is my user ID. DOMAIN.COM is my Active Directory Domain. PC1234
is the workstation I was attempting to scan. 192.168.3.10 is the IP
address of the SERVER1 where I run my scanning software.

So this tells me that when I logged out of Terminal Services (Not
disconnected) and verified via PSLOGGEDON and Terminal Services Manager
(from another admins desk) that I was not on this server, Windows still
kept my old credentials.

Even after logging on with my new password, Microsoft Windows 2000
server still attempts to use the last USERID/PWD that I connected to
this PC1234 with. I actually had to reboot the server to get past this
issue.

This seems to be a security bug to me.

Are there any known articles on fixing this? Much searching, and I
have not found anything just like this -- only the issue with
disconnected sessions.

Edwin Davidson.

More about : account lockout terminal services disconnected sessi

Anonymous
April 10, 2005 12:24:06 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

edavid3001@gmail.com wrote:

> We have been dealing with account lockout issues for well over a year.
>
> After much analysis this is what I have discovered.
>
> I normally am terminal serviced into SERVER1 is a disconnected state,
> running workstation scanning software.
>
> My password expired today (Netware grace loggons, AD not expired yet.)
>
> I Terminal serviced into SERVER1 and logged out.
>
> I ran PSLOGGEDON and verified I was not logged in at any location other
> than my desk.
>
> I did CNTL ALT DEL and changed my password on the Active directory
> (Mixed mode.) as well as the Netware NDS and our eDirectory tree.
>
> I rebooted my PC, and logged back on. I verified my password synced
> across the domain controllers.
>
> I terminal serviced into SERVER1 with my new password.
>
> I started running my software scan.
>
> Immediately my account became disabled. The event logs on our AD
> server from which I got locked out show this;

Is the account locked or disabled? there is a difference. If the account
is being locked you may be out of licenses. Did you change your password
AND have mapped drives using the old password?

>
>
> Service Ticket Request Failed:
> User Name: USER
> User Domain: DOMAIN.COM
> Service Name: HOST/PC1234
> Ticket Options: 0x40810010
> Failure Code: 0x12
> Client Address: 192.168.3.10
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> USER is my user ID. DOMAIN.COM is my Active Directory Domain. PC1234
> is the workstation I was attempting to scan. 192.168.3.10 is the IP
> address of the SERVER1 where I run my scanning software.
>
> So this tells me that when I logged out of Terminal Services (Not
> disconnected) and verified via PSLOGGEDON and Terminal Services Manager
> (from another admins desk) that I was not on this server, Windows still
> kept my old credentials.
>
> Even after logging on with my new password, Microsoft Windows 2000
> server still attempts to use the last USERID/PWD that I connected to
> this PC1234 with. I actually had to reboot the server to get past this
> issue.
>
> This seems to be a security bug to me.
>
> Are there any known articles on fixing this? Much searching, and I
> have not found anything just like this -- only the issue with
> disconnected sessions.
>
> Edwin Davidson.
Anonymous
April 11, 2005 3:22:08 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

>>Is the account locked or disabled? there is a difference. If the
account
>>is being locked you may be out of licenses. Did you change your
password
>>AND have mapped drives using the old password?

Both. The account is locked out on the Active Directory because the
domain allows for only 3 password attempts before locking and disabling
the account.

We have more than plenty of licenses.

Yes, there were mapped drives. But I have NET USE /PERSISTENT:NO on
everything - all PC's and servers. Doubly verified on the ones in use.

I have to map these drives each time I log in.

And the resource in question that resulted in login failures using the
old password was using the administrative shared via UNC, not mappings.
Such as \\PCNAME\C$ as well as remote registry.

Edwin Davidson.
!