Accounts constantly locking out

Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

I have a two-node Active Directory domain, which I use for change control.
On these, I have created 400 shares and 200 ID's for dropping-off;
promoting; and picking-up
software.
I create user ID's and permission the ID to the share and the folder.
The developers drop off the code; and the installers pick it up
during our green-zone. It has worked well for 5 years... almost!

My users are constantly locking their ID's out; which I then have to
endlessly connect with telnet and "net user JoeSmith /active:yes "
to restore the account. No amount of training seems to help,
and they always seem to map-network-drive and lock themselves out again.

How can I increase the number of failed netbios connections before
lockouts?,
or better yet, why does this happen so much?

Thanks in advance-

Bill
8 answers Last reply
More about accounts constantly locking
  1. Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

    You can increase the account lockout threshold in "Domain Security Policy"
    where it should be no less than ten bad attempts assuming you are not
    allowing weak passwords. Other than fumble fingers common causes of lockouts
    are users being logged onto multiple computers, using mapped drives with
    persistent connections, and having user account used for service or
    Scheduled Task and not changing those passwords also. Open Domain Security
    Policy and go to security settings/ account policies/account lockout policy
    and set the account lockout threshold to at least ten. The link below may
    help if the problem persists with the associated tools and referenced white
    paper.. --- Steve

    http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

    "William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
    news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
    >I have a two-node Active Directory domain, which I use for change control.
    > On these, I have created 400 shares and 200 ID's for dropping-off;
    > promoting; and picking-up
    > software.
    > I create user ID's and permission the ID to the share and the folder.
    > The developers drop off the code; and the installers pick it up
    > during our green-zone. It has worked well for 5 years... almost!
    >
    > My users are constantly locking their ID's out; which I then have to
    > endlessly connect with telnet and "net user JoeSmith /active:yes "
    > to restore the account. No amount of training seems to help,
    > and they always seem to map-network-drive and lock themselves out again.
    >
    > How can I increase the number of failed netbios connections before
    > lockouts?,
    > or better yet, why does this happen so much?
    >
    > Thanks in advance-
    >
    > Bill
    >
    >
  2. Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

    Thanks Steve,

    question #1 -
    In reference to your download link for ALTools.exe, do you know of any
    command-line tools
    to help me remotely manage share and user permissions? I would
    love to be able to add/delete/update users to shares and folders with a
    (telnet) command-line tool rather than terminal services and GUI.

    Thanks in advance!

    Bill

    question #2 - is this the root of your searches?

    ??
    http://www.microsoft.com/downloads/search.aspx?displaylang=en&categoryid=12
    ??


    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:TRZhd.561978$8_6.186328@attbi_s04...
    > You can increase the account lockout threshold in "Domain Security Policy"
    > where it should be no less than ten bad attempts assuming you are not
    > allowing weak passwords. Other than fumble fingers common causes of
    lockouts
    > are users being logged onto multiple computers, using mapped drives with
    > persistent connections, and having user account used for service or
    > Scheduled Task and not changing those passwords also. Open Domain Security
    > Policy and go to security settings/ account policies/account lockout
    policy
    > and set the account lockout threshold to at least ten. The link below may
    > help if the problem persists with the associated tools and referenced
    white
    > paper.. --- Steve
    >
    >
    http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-
    8629-B999ADDE0B9E&displaylang=en
    >
    > "William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
    > news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
    > >I have a two-node Active Directory domain, which I use for change
    control.
    > > On these, I have created 400 shares and 200 ID's for dropping-off;
    > > promoting; and picking-up
    > > software.
    > > I create user ID's and permission the ID to the share and the folder.
    > > The developers drop off the code; and the installers pick it up
    > > during our green-zone. It has worked well for 5 years... almost!
    > >
    > > My users are constantly locking their ID's out; which I then have to
    > > endlessly connect with telnet and "net user JoeSmith /active:yes "
    > > to restore the account. No amount of training seems to help,
    > > and they always seem to map-network-drive and lock themselves out again.
    > >
    > > How can I increase the number of failed netbios connections before
    > > lockouts?,
    > > or better yet, why does this happen so much?
    > >
    > > Thanks in advance-
    > >
    > > Bill
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

    Dear William,

    Strange things are happening in our domain Controller.

    Accounts are automatically getting locked out and clients response time is
    very very slow... all these are happening from past 2 days.

    We have Win2K with SP4.0 and we have automatic updates set to on.

    Could you please let us know how to overcome Automatic Account Lockout
    problem.

    Thanks in advance

    Regards
    Vasu

    "William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
    news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
    >I have a two-node Active Directory domain, which I use for change control.
    > On these, I have created 400 shares and 200 ID's for dropping-off;
    > promoting; and picking-up
    > software.
    > I create user ID's and permission the ID to the share and the folder.
    > The developers drop off the code; and the installers pick it up
    > during our green-zone. It has worked well for 5 years... almost!
    >
    > My users are constantly locking their ID's out; which I then have to
    > endlessly connect with telnet and "net user JoeSmith /active:yes "
    > to restore the account. No amount of training seems to help,
    > and they always seem to map-network-drive and lock themselves out again.
    >
    > How can I increase the number of failed netbios connections before
    > lockouts?,
    > or better yet, why does this happen so much?
    >
    > Thanks in advance-
    >
    > Bill
    >
    >
  4. Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

    Vasu,

    Please try the suggestion posted by Steven L Umbach
    (above)

    Good luck,
    Bill


    "Vasu" <kr_vasudev@advantaindia.com> wrote in message
    news:OEpHPIYwEHA.1396@tk2msftngp13.phx.gbl...
    > Dear William,
    >
    > Strange things are happening in our domain Controller.
    >
    > Accounts are automatically getting locked out and clients response time is
    > very very slow... all these are happening from past 2 days.
    >
    > We have Win2K with SP4.0 and we have automatic updates set to on.
    >
    > Could you please let us know how to overcome Automatic Account Lockout
    > problem.
    >
    > Thanks in advance
    >
    > Regards
    > Vasu
    >
    > "William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
    > news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
    > >I have a two-node Active Directory domain, which I use for change
    control.
    > > On these, I have created 400 shares and 200 ID's for dropping-off;
    > > promoting; and picking-up
    > > software.
    > > I create user ID's and permission the ID to the share and the folder.
    > > The developers drop off the code; and the installers pick it up
    > > during our green-zone. It has worked well for 5 years... almost!
    > >
    > > My users are constantly locking their ID's out; which I then have to
    > > endlessly connect with telnet and "net user JoeSmith /active:yes "
    > > to restore the account. No amount of training seems to help,
    > > and they always seem to map-network-drive and lock themselves out again.
    > >
    > > How can I increase the number of failed netbios connections before
    > > lockouts?,
    > > or better yet, why does this happen so much?
    > >
    > > Thanks in advance-
    > >
    > > Bill
    > >
    > >
    >
    >
  5. Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

    In article <OMZlpGZwEHA.3976@TK2MSFTNGP09.phx.gbl>, "William Hymen" <t18_pilot@hotmail.spam.com> wrote:
    |Thanks Steve,
    |
    |question #1 -
    |In reference to your download link for ALTools.exe, do you know of any
    |command-line tools
    |to help me remotely manage share and user permissions? I would
    |love to be able to add/delete/update users to shares and folders with a
    |(telnet) command-line tool rather than terminal services and GUI.
    |

    The NT resource kit has a commandline program named RMTSHARE which allows you
    to display/create/change/delete/set permissions on shares on a remote
    computer.
    You can download it here:
    ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/RMTSHAR.EXE

    |Thanks in advance!
    |
    |Bill
    |
    |question #2 - is this the root of your searches?
    |
    |??
    |http://www.microsoft.com/downloads/search.aspx?displaylang=en&categoryid=12
    |??
    |
    |
    |"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    |news:TRZhd.561978$8_6.186328@attbi_s04...
    |> You can increase the account lockout threshold in "Domain Security Policy"
    |> where it should be no less than ten bad attempts assuming you are not
    |> allowing weak passwords. Other than fumble fingers common causes of
    |lockouts
    |> are users being logged onto multiple computers, using mapped drives with
    |> persistent connections, and having user account used for service or
    |> Scheduled Task and not changing those passwords also. Open Domain Security
    |> Policy and go to security settings/ account policies/account lockout
    |policy
    |> and set the account lockout threshold to at least ten. The link below may
    |> help if the problem persists with the associated tools and referenced
    |white
    |> paper.. --- Steve
    |>
    |>
    |http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-
    |8629-B999ADDE0B9E&displaylang=en
    |>
    |> "William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
    |> news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
    |> >I have a two-node Active Directory domain, which I use for change
    |control.
    |> > On these, I have created 400 shares and 200 ID's for dropping-off;
    |> > promoting; and picking-up
    |> > software.
    |> > I create user ID's and permission the ID to the share and the folder.
    |> > The developers drop off the code; and the installers pick it up
    |> > during our green-zone. It has worked well for 5 years... almost!
    |> >
    |> > My users are constantly locking their ID's out; which I then have to
    |> > endlessly connect with telnet and "net user JoeSmith /active:yes "
    |> > to restore the account. No amount of training seems to help,
    |> > and they always seem to map-network-drive and lock themselves out again.
    |> >
    |> > How can I increase the number of failed netbios connections before
    |> > lockouts?,
    |> > or better yet, why does this happen so much?
    |> >
    |> > Thanks in advance-
    |> >
    |> > Bill
    |> >
    |> >
    |>
    |>
    |
    |
  6. Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

    As the other poster mentions you can use RMTSHARE to manage share
    permissions from the command line and you can use cacls [buit it] or xcacls
    to manage folder permissions. I don't know if this will be of use to you but
    the free psexec tool from SysInternals allows you to work with the command
    prompts of remote computers as long as you have admin permissions and file
    and print sharing [port 139/445] connection to the remote computer. I did
    not do a search from any particualar point but had that linked bookmarked. I
    usually do my searches from Google and from search Microsoft.com. --- Steve

    http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
    http://search.microsoft.com/search/search.aspx?st=a&View=en-us -- search
    Microsoft.com

    "William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
    news:OMZlpGZwEHA.3976@TK2MSFTNGP09.phx.gbl...
    > Thanks Steve,
    >
    > question #1 -
    > In reference to your download link for ALTools.exe, do you know of any
    > command-line tools
    > to help me remotely manage share and user permissions? I would
    > love to be able to add/delete/update users to shares and folders with a
    > (telnet) command-line tool rather than terminal services and GUI.
    >
    > Thanks in advance!
    >
    > Bill
    >
    > question #2 - is this the root of your searches?
    >
    > ??
    > http://www.microsoft.com/downloads/search.aspx?displaylang=en&categoryid=12
    > ??
    >
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:TRZhd.561978$8_6.186328@attbi_s04...
    >> You can increase the account lockout threshold in "Domain Security
    >> Policy"
    >> where it should be no less than ten bad attempts assuming you are not
    >> allowing weak passwords. Other than fumble fingers common causes of
    > lockouts
    >> are users being logged onto multiple computers, using mapped drives with
    >> persistent connections, and having user account used for service or
    >> Scheduled Task and not changing those passwords also. Open Domain
    >> Security
    >> Policy and go to security settings/ account policies/account lockout
    > policy
    >> and set the account lockout threshold to at least ten. The link below may
    >> help if the problem persists with the associated tools and referenced
    > white
    >> paper.. --- Steve
    >>
    >>
    > http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-
    > 8629-B999ADDE0B9E&displaylang=en
    >>
    >> "William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
    >> news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
    >> >I have a two-node Active Directory domain, which I use for change
    > control.
    >> > On these, I have created 400 shares and 200 ID's for dropping-off;
    >> > promoting; and picking-up
    >> > software.
    >> > I create user ID's and permission the ID to the share and the folder.
    >> > The developers drop off the code; and the installers pick it up
    >> > during our green-zone. It has worked well for 5 years... almost!
    >> >
    >> > My users are constantly locking their ID's out; which I then have to
    >> > endlessly connect with telnet and "net user JoeSmith /active:yes "
    >> > to restore the account. No amount of training seems to help,
    >> > and they always seem to map-network-drive and lock themselves out
    >> > again.
    >> >
    >> > How can I increase the number of failed netbios connections before
    >> > lockouts?,
    >> > or better yet, why does this happen so much?
    >> >
    >> > Thanks in advance-
    >> >
    >> > Bill
    >> >
    >> >
    >>
    >>
    >
    >
  7. Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

    This sounds very much like a hacker breakin attempt, given the sluggishness.
    Check your security logs for event ID 529 (Unknown user name or bad password).

    Ed


    In article <OEpHPIYwEHA.1396@tk2msftngp13.phx.gbl>, "Vasu"
    <kr_vasudev@advantaindia.com> wrote:
    >Dear William,
    >
    >Strange things are happening in our domain Controller.
    >
    >Accounts are automatically getting locked out and clients response time is
    >very very slow... all these are happening from past 2 days.
    >
    >We have Win2K with SP4.0 and we have automatic updates set to on.
    >
    >Could you please let us know how to overcome Automatic Account Lockout
    >problem.
    >
    >Thanks in advance
    >
    >Regards
    >Vasu
    >
    >"William Hymen" <t18_pilot@hotmail.spam.com> wrote in message
    >news:uekEZIUwEHA.2172@TK2MSFTNGP14.phx.gbl...
    >>I have a two-node Active Directory domain, which I use for change control.
    >> On these, I have created 400 shares and 200 ID's for dropping-off;
    >> promoting; and picking-up
    >> software.
    >> I create user ID's and permission the ID to the share and the folder.
    >> The developers drop off the code; and the installers pick it up
    >> during our green-zone. It has worked well for 5 years... almost!
    >>
    >> My users are constantly locking their ID's out; which I then have to
    >> endlessly connect with telnet and "net user JoeSmith /active:yes "
    >> to restore the account. No amount of training seems to help,
    >> and they always seem to map-network-drive and lock themselves out again.
    >>
    >> How can I increase the number of failed netbios connections before
    >> lockouts?,
    >> or better yet, why does this happen so much?
    >>
    >> Thanks in advance-
    >>
    >> Bill
    >>
    >>
    >
    >
  8. Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.win2000.security (More info?)

    Hi,
    Vasu wrote:
    > Strange things are happening in our domain Controller.
    > Accounts are automatically getting locked out and clients response
    > time is very very slow... all these are happening from past 2 days.

    I have seen this recently caused by a virus, which attempts brute force
    attacks with a list of passwords to various domains.
    There are two things you should try:
    1. Get the source workstation(s) of the failed logon attempts from the
    network and make a clean install (at least Trend Micros was one week ago not
    able to catch that virus.)
    2. Disable anonymous account enumerations by setting the value to 1 (if the
    source is not in your range and not domain member, this reduces the attack
    interface to well known accounts):
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA]
    Value Name: RestrictAnonymous
    Data Type: REG_DWORD (DWORD Value)
    Value Data: (0 = allowed, 1 = restricted, 2 = require anonymous permissions)

    3. Filter out the source IP addresses (maybe use network monitor to see,
    where the attacks are coming from).

    Best greetings from Germany
    Olaf.
Ask a new question

Read More

Microsoft Windows