Accounts locked

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Couple of users (domain admin) are getting an account
lock out very frequently. One is getting the account
lock every morning, but after it is unlocked it last for
the whole day, but coming the next day the account is
locked again. Recently I applied the domain account
lockout policy and it is set to lock accounts after 3 bad
logons. Any suggestion?

Thanks,

Dechomai

 

[Bruce]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

One case where I have seen this happening is where the user manually maps a
drive to be persistent (reconnect at logon). Then the user changes his
password (or is forced by the policy to do so). The mapped drive will try
to reconnect with the credentials originally provided when the drive was
mapped. Each mapped drive will cause a "hit" against the bad password
count.

There is a tool that is very useful in the diagnosis of this type of
problem. The account lockout tool is available for download from microsoft
(I don't have the URL).

hope this helps.

Bruce


"dechomai" <anonymous@discussions.microsoft.com> wrote in message
news:a0ac01c486e3$2b8bb1d0$a401280a@phx.gbl...
> Couple of users (domain admin) are getting an account
> lock out very frequently. One is getting the account
> lock every morning, but after it is unlocked it last for
> the whole day, but coming the next day the account is
> locked again. Recently I applied the domain account
> lockout policy and it is set to lock accounts after 3 bad
> logons. Any suggestion?
>
> Thanks,
>
> Dechomai

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Set your account lockout threshold to at least ten as suggested by Microsoft if
you are requiring your users to use complex passwords which will still protect
you from brute force attacks.. In some situations one failed logon can generate
multiple events to the counter on the domain controller and lock the user out.
Common reasons for account lockouts are old user credentials used for a logon to
another computer that was never logged off [including Terminal Servers] ,
persistent mapped drives, Scheduled Tasks, used for service authentication, or
stored/cached by an application requiring user credentials. The link below goes
into more detail on what can cause account lockouts and how to track them
own. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

"dechomai" <anonymous@discussions.microsoft.com> wrote in message
news:a0ac01c486e3$2b8bb1d0$a401280a@phx.gbl...
> Couple of users (domain admin) are getting an account
> lock out very frequently. One is getting the account
> lock every morning, but after it is unlocked it last for
> the whole day, but coming the next day the account is
> locked again. Recently I applied the domain account
> lockout policy and it is set to lock accounts after 3 bad
> logons. Any suggestion?
>
> Thanks,
>
> Dechomai

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

On Fri, 20 Aug 2004 11:26:11 -0700, "dechomai"
<anonymous@discussions.microsoft.com> wrote:

>Couple of users (domain admin) are getting an account
>lock out very frequently. One is getting the account
>lock every morning, but after it is unlocked it last for
>the whole day, but coming the next day the account is
>locked again. Recently I applied the domain account
>lockout policy and it is set to lock accounts after 3 bad
>logons. Any suggestion?
>
>Thanks,
>
>Dechomai


An scheduled task running in their account context?


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com