Sign in with
Sign up | Sign in
Your question

Accounts constantly locking out

Last response: in Windows 2000/NT
Share
Anonymous
November 2, 2004 11:24:52 PM

Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

I have a two-node Active Directory domain, which I use for change control.
On these, I have created 400 shares and 200 ID's for dropping-off;
promoting; and picking-up
software.
I create user ID's and permission the ID to the share and the folder.
The developers drop off the code; and the installers pick it up
during our green-zone. It has worked well for 5 years... almost!

My users are constantly locking their ID's out; which I then have to
endlessly connect with telnet and "net user JoeSmith /active:yes "
to restore the account. No amount of training seems to help,
and they always seem to map-network-drive and lock themselves out again.

How can I increase the number of failed netbios connections before
lockouts?,
or better yet, why does this happen so much?

Thanks in advance-

Bill
Anonymous
November 3, 2004 8:17:39 AM

Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

You can increase the account lockout threshold in "Domain Security Policy"
where it should be no less than ten bad attempts assuming you are not
allowing weak passwords. Other than fumble fingers common causes of lockouts
are users being logged onto multiple computers, using mapped drives with
persistent connections, and having user account used for service or
Scheduled Task and not changing those passwords also. Open Domain Security
Policy and go to security settings/ account policies/account lockout policy
and set the account lockout threshold to at least ten. The link below may
help if the problem persists with the associated tools and referenced white
paper.. --- Steve

http://www.microsoft.com/downloads/details.aspx?FamilyI...

"William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
>I have a two-node Active Directory domain, which I use for change control.
> On these, I have created 400 shares and 200 ID's for dropping-off;
> promoting; and picking-up
> software.
> I create user ID's and permission the ID to the share and the folder.
> The developers drop off the code; and the installers pick it up
> during our green-zone. It has worked well for 5 years... almost!
>
> My users are constantly locking their ID's out; which I then have to
> endlessly connect with telnet and "net user JoeSmith /active:yes "
> to restore the account. No amount of training seems to help,
> and they always seem to map-network-drive and lock themselves out again.
>
> How can I increase the number of failed netbios connections before
> lockouts?,
> or better yet, why does this happen so much?
>
> Thanks in advance-
>
> Bill
>
>
Anonymous
November 3, 2004 8:54:28 AM

Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

Thanks Steve,

question #1 -
In reference to your download link for ALTools.exe, do you know of any
command-line tools
to help me remotely manage share and user permissions? I would
love to be able to add/delete/update users to shares and folders with a
(telnet) command-line tool rather than terminal services and GUI.

Thanks in advance!

Bill

question #2 - is this the root of your searches?

??
http://www.microsoft.com/downloads/search.aspx?displayl...
??


"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:TRZhd.561978$8_6.186328@attbi_s04...
> You can increase the account lockout threshold in "Domain Security Policy"
> where it should be no less than ten bad attempts assuming you are not
> allowing weak passwords. Other than fumble fingers common causes of
lockouts
> are users being logged onto multiple computers, using mapped drives with
> persistent connections, and having user account used for service or
> Scheduled Task and not changing those passwords also. Open Domain Security
> Policy and go to security settings/ account policies/account lockout
policy
> and set the account lockout threshold to at least ten. The link below may
> help if the problem persists with the associated tools and referenced
white
> paper.. --- Steve
>
>
http://www.microsoft.com/downloads/details.aspx?FamilyI...
8629-B999ADDE0B9E&displaylang=en
>
> "William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
> news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
> >I have a two-node Active Directory domain, which I use for change
control.
> > On these, I have created 400 shares and 200 ID's for dropping-off;
> > promoting; and picking-up
> > software.
> > I create user ID's and permission the ID to the share and the folder.
> > The developers drop off the code; and the installers pick it up
> > during our green-zone. It has worked well for 5 years... almost!
> >
> > My users are constantly locking their ID's out; which I then have to
> > endlessly connect with telnet and "net user JoeSmith /active:yes "
> > to restore the account. No amount of training seems to help,
> > and they always seem to map-network-drive and lock themselves out again.
> >
> > How can I increase the number of failed netbios connections before
> > lockouts?,
> > or better yet, why does this happen so much?
> >
> > Thanks in advance-
> >
> > Bill
> >
> >
>
>
Related resources
November 3, 2004 5:18:40 PM

Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

Dear William,

Strange things are happening in our domain Controller.

Accounts are automatically getting locked out and clients response time is
very very slow... all these are happening from past 2 days.

We have Win2K with SP4.0 and we have automatic updates set to on.

Could you please let us know how to overcome Automatic Account Lockout
problem.

Thanks in advance

Regards
Vasu

"William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
>I have a two-node Active Directory domain, which I use for change control.
> On these, I have created 400 shares and 200 ID's for dropping-off;
> promoting; and picking-up
> software.
> I create user ID's and permission the ID to the share and the folder.
> The developers drop off the code; and the installers pick it up
> during our green-zone. It has worked well for 5 years... almost!
>
> My users are constantly locking their ID's out; which I then have to
> endlessly connect with telnet and "net user JoeSmith /active:yes "
> to restore the account. No amount of training seems to help,
> and they always seem to map-network-drive and lock themselves out again.
>
> How can I increase the number of failed netbios connections before
> lockouts?,
> or better yet, why does this happen so much?
>
> Thanks in advance-
>
> Bill
>
>
Anonymous
November 3, 2004 5:18:41 PM

Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

Vasu,

Please try the suggestion posted by Steven L Umbach
(above)

Good luck,
Bill


"Vasu" <kr_vasudev@advantaindia.com> wrote in message
news:o EpHPIYwEHA.1396@tk2msftngp13.phx.gbl...
> Dear William,
>
> Strange things are happening in our domain Controller.
>
> Accounts are automatically getting locked out and clients response time is
> very very slow... all these are happening from past 2 days.
>
> We have Win2K with SP4.0 and we have automatic updates set to on.
>
> Could you please let us know how to overcome Automatic Account Lockout
> problem.
>
> Thanks in advance
>
> Regards
> Vasu
>
> "William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
> news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
> >I have a two-node Active Directory domain, which I use for change
control.
> > On these, I have created 400 shares and 200 ID's for dropping-off;
> > promoting; and picking-up
> > software.
> > I create user ID's and permission the ID to the share and the folder.
> > The developers drop off the code; and the installers pick it up
> > during our green-zone. It has worked well for 5 years... almost!
> >
> > My users are constantly locking their ID's out; which I then have to
> > endlessly connect with telnet and "net user JoeSmith /active:yes "
> > to restore the account. No amount of training seems to help,
> > and they always seem to map-network-drive and lock themselves out again.
> >
> > How can I increase the number of failed netbios connections before
> > lockouts?,
> > or better yet, why does this happen so much?
> >
> > Thanks in advance-
> >
> > Bill
> >
> >
>
>
Anonymous
November 3, 2004 6:45:30 PM

Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

In article <OMZlpGZwEHA.3976@TK2MSFTNGP09.phx.gbl>, "William Hymen" <t18_pilot@hotmail.spam.com> wrote:
|Thanks Steve,
|
|question #1 -
|In reference to your download link for ALTools.exe, do you know of any
|command-line tools
|to help me remotely manage share and user permissions? I would
|love to be able to add/delete/update users to shares and folders with a
|(telnet) command-line tool rather than terminal services and GUI.
|

The NT resource kit has a commandline program named RMTSHARE which allows you
to display/create/change/delete/set permissions on shares on a remote
computer.
You can download it here:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reski...

|Thanks in advance!
|
|Bill
|
|question #2 - is this the root of your searches?
|
|??
|http://www.microsoft.com/downloads/search.aspx?displayl...
|??
|
|
|"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
|news:TRZhd.561978$8_6.186328@attbi_s04...
|> You can increase the account lockout threshold in "Domain Security Policy"
|> where it should be no less than ten bad attempts assuming you are not
|> allowing weak passwords. Other than fumble fingers common causes of
|lockouts
|> are users being logged onto multiple computers, using mapped drives with
|> persistent connections, and having user account used for service or
|> Scheduled Task and not changing those passwords also. Open Domain Security
|> Policy and go to security settings/ account policies/account lockout
|policy
|> and set the account lockout threshold to at least ten. The link below may
|> help if the problem persists with the associated tools and referenced
|white
|> paper.. --- Steve
|>
|>
|http://www.microsoft.com/downloads/details.aspx?FamilyI...
|8629-B999ADDE0B9E&displaylang=en
|>
|> "William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
|> news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
|> >I have a two-node Active Directory domain, which I use for change
|control.
|> > On these, I have created 400 shares and 200 ID's for dropping-off;
|> > promoting; and picking-up
|> > software.
|> > I create user ID's and permission the ID to the share and the folder.
|> > The developers drop off the code; and the installers pick it up
|> > during our green-zone. It has worked well for 5 years... almost!
|> >
|> > My users are constantly locking their ID's out; which I then have to
|> > endlessly connect with telnet and "net user JoeSmith /active:yes "
|> > to restore the account. No amount of training seems to help,
|> > and they always seem to map-network-drive and lock themselves out again.
|> >
|> > How can I increase the number of failed netbios connections before
|> > lockouts?,
|> > or better yet, why does this happen so much?
|> >
|> > Thanks in advance-
|> >
|> > Bill
|> >
|> >
|>
|>
|
|
Anonymous
November 3, 2004 7:05:51 PM

Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

As the other poster mentions you can use RMTSHARE to manage share
permissions from the command line and you can use cacls [buit it] or xcacls
to manage folder permissions. I don't know if this will be of use to you but
the free psexec tool from SysInternals allows you to work with the command
prompts of remote computers as long as you have admin permissions and file
and print sharing [port 139/445] connection to the remote computer. I did
not do a search from any particualar point but had that linked bookmarked. I
usually do my searches from Google and from search Microsoft.com. --- Steve

http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
http://search.microsoft.com/search/search.aspx?st=a&Vie... -- search
Microsoft.com

"William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
news:o MZlpGZwEHA.3976@TK2MSFTNGP09.phx.gbl...
> Thanks Steve,
>
> question #1 -
> In reference to your download link for ALTools.exe, do you know of any
> command-line tools
> to help me remotely manage share and user permissions? I would
> love to be able to add/delete/update users to shares and folders with a
> (telnet) command-line tool rather than terminal services and GUI.
>
> Thanks in advance!
>
> Bill
>
> question #2 - is this the root of your searches?
>
> ??
> http://www.microsoft.com/downloads/search.aspx?displayl...
> ??
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:TRZhd.561978$8_6.186328@attbi_s04...
>> You can increase the account lockout threshold in "Domain Security
>> Policy"
>> where it should be no less than ten bad attempts assuming you are not
>> allowing weak passwords. Other than fumble fingers common causes of
> lockouts
>> are users being logged onto multiple computers, using mapped drives with
>> persistent connections, and having user account used for service or
>> Scheduled Task and not changing those passwords also. Open Domain
>> Security
>> Policy and go to security settings/ account policies/account lockout
> policy
>> and set the account lockout threshold to at least ten. The link below may
>> help if the problem persists with the associated tools and referenced
> white
>> paper.. --- Steve
>>
>>
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
> 8629-B999ADDE0B9E&displaylang=en
>>
>> "William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
>> news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
>> >I have a two-node Active Directory domain, which I use for change
> control.
>> > On these, I have created 400 shares and 200 ID's for dropping-off;
>> > promoting; and picking-up
>> > software.
>> > I create user ID's and permission the ID to the share and the folder.
>> > The developers drop off the code; and the installers pick it up
>> > during our green-zone. It has worked well for 5 years... almost!
>> >
>> > My users are constantly locking their ID's out; which I then have to
>> > endlessly connect with telnet and "net user JoeSmith /active:yes "
>> > to restore the account. No amount of training seems to help,
>> > and they always seem to map-network-drive and lock themselves out
>> > again.
>> >
>> > How can I increase the number of failed netbios connections before
>> > lockouts?,
>> > or better yet, why does this happen so much?
>> >
>> > Thanks in advance-
>> >
>> > Bill
>> >
>> >
>>
>>
>
>
Anonymous
November 3, 2004 8:28:17 PM

Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

This sounds very much like a hacker breakin attempt, given the sluggishness.
Check your security logs for event ID 529 (Unknown user name or bad password).

Ed


In article <OEpHPIYwEHA.1396@tk2msftngp13.phx.gbl>, "Vasu"
<kr_vasudev@advantaindia.com> wrote:
>Dear William,
>
>Strange things are happening in our domain Controller.
>
>Accounts are automatically getting locked out and clients response time is
>very very slow... all these are happening from past 2 days.
>
>We have Win2K with SP4.0 and we have automatic updates set to on.
>
>Could you please let us know how to overcome Automatic Account Lockout
>problem.
>
>Thanks in advance
>
>Regards
>Vasu
>
>"William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
>news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
>>I have a two-node Active Directory domain, which I use for change control.
>> On these, I have created 400 shares and 200 ID's for dropping-off;
>> promoting; and picking-up
>> software.
>> I create user ID's and permission the ID to the share and the folder.
>> The developers drop off the code; and the installers pick it up
>> during our green-zone. It has worked well for 5 years... almost!
>>
>> My users are constantly locking their ID's out; which I then have to
>> endlessly connect with telnet and "net user JoeSmith /active:yes "
>> to restore the account. No amount of training seems to help,
>> and they always seem to map-network-drive and lock themselves out again.
>>
>> How can I increase the number of failed netbios connections before
>> lockouts?,
>> or better yet, why does this happen so much?
>>
>> Thanks in advance-
>>
>> Bill
>>
>>
>
>
Anonymous
November 9, 2004 12:09:42 AM

Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

Hi,
Vasu wrote:
> Strange things are happening in our domain Controller.
> Accounts are automatically getting locked out and clients response
> time is very very slow... all these are happening from past 2 days.

I have seen this recently caused by a virus, which attempts brute force
attacks with a list of passwords to various domains.
There are two things you should try:
1. Get the source workstation(s) of the failed logon attempts from the
network and make a clean install (at least Trend Micros was one week ago not
able to catch that virus.)
2. Disable anonymous account enumerations by setting the value to 1 (if the
source is not in your range and not domain member, this reduces the attack
interface to well known accounts):
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA]
Value Name: RestrictAnonymous
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = allowed, 1 = restricted, 2 = require anonymous permissions)

3. Filter out the source IP addresses (maybe use network monitor to see,
where the attacks are coming from).

Best greetings from Germany
Olaf.
!