Account Lockout Troubleshooting

  • Thread starter Thread starter Joe
  • Start date Start date
J

Joe

Hello All:

Have a question. Recently upgraded the domain from NT4.0 to 2000 AD.
Everything's fine but having an account lockout issue which I was looking
into and I discovered the following:

On the NT 4.0 PDC that was the first to be upgraded, it is not recording any
account lockouts. If I intentionally lockout a testusere account, using the
account lockout tool, I can see the account listed as locked on our 2 other
DC's, but not the original PDC now DC.

I also cannot find any 644 events being logged anywhere on any DC's despite
having logging for this enabled. Can anyone offer some insight to any of
this..

Thanks

Joe
 
Run diagnostics against your Active Directory domain.

If you don't have the tools installed, install them from your server install
disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> dcdiag /e /c /v /s:DC_Name /f:c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run

individual tests without having to learn all the switch options. The
details will be output in notepad text files that pop

up automagically.

The script is located in the download section on my website at
http://www.pbbergs.com

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

--
Paul Bergson

MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top