Account Lockout and Logging

[Linda K. Tice, M.S., RT\(R\)\(M\)]

I have an account (which just happens to be mine) that I can't unlock. I've
got a native W2k environment with a Win2K Domain Controller on Active
Directory. As soon as I unlock the account, it just locks up again.

Also, I don't seem to be able to get the security events log to record
information. It's supposed to be logging failed logon attempts, but I'm not
seeing anything.

Help!

 

[Colin M. McGroarty]

Is this same account used by any software, services or tasks? It may be
that an incorrect password somewhere is triggering the lockout policy.

--
Colin M. McGroarty
MCP+I, MCSE, NT-CIP

(e-mail address removed)
www.McGroarty.org

 

[Linda K. Tice, M.S., RT\(R\)\(M\)]

No, it's a personal account -- it locks out in less than 15 seconds from the
time it is reset. It's almost as if it's not actually getting unlocked at
all.

 

[Colin M. McGroarty]

What are the thresholds that are set in the lockout policy? Are you able to
log in during the 15 second window?

--
Colin M. McGroarty
MCP+I, MCSE, NT-CIP

(e-mail address removed)
www.McGroarty.org

 

[Linda Tice]

I'm not convinced, however, that I'm actually seeing all log-on attempts. I
see some that I deliberately failed on are being logged on the local
machine, but I can't see if someone from some other machine would be trying
to log on. The event viewer on the D.C. does not seem to be logging the
failures.

 

[Linda Tice]

My security event logging just kicked into full swing. It would appear that
my exchange server is infected with something. Thanks for your help.

 

[Lloyd Newland]

Hi Linda,

In a pure Windows 2000 domain the default logging of events will miss most
of the failures that happen using the kerberos protocol. You may see some
675, 676 and 677 errors in the security event viewer but the ones of
interest (681s) will not appear unless kerberos logging is enabled. This
does generate a number of additional messages in the System event log that
can be ignored for the most part.

262177 HOW TO: Enable Kerberos Event Logging
http://support.microsoft.com/?id=262177

One note about your settings for the lockout. Currently we are
recommending a minimum of 10 for the lockout threshold. This change is due
to the way that some connections occur in which one connection attempt can
generate a 3 count for failed logon attempts.

We have a great document on account lockouts and some tools located at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/maintain/operate/BPACTLCK.asp



Please respond directly to the newgroup so all members can benfit from the
questions and answers.


Lloyd Newland, MCSE, MCSA

(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.