Hello Michal,
Thank you for posting here.
I'd like provide some information to you as a supplement.
You could use the following tool to troubleshoot account lockouts, as well
as add functionality to Active Directory.
Account Lockout and Management Tools
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-
8629-B999ADDE0B9E&displaylang=en
In addition, you may browse the following web site for more inforamtion:
Enabling Debug Logging for the Net Logon Service
http://support.microsoft.com/default.aspx?scid=kb;EN-US;109626
If you have any questions or concerns, please do not hesitate to let me
know. I am happy to be of assistance.
Thanks and regards,
Alex Zhang
Microsoft Partner Online Support
Get Secure! -
www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Steven L Umbach" <
[email protected]>
| References: <
[email protected]>
| Subject: Re: Account lockout
| Date: Thu, 22 Apr 2004 10:02:54 -0500
| Lines: 36
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <
[email protected]>
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: adsl-68-78-64-90.dsl.emhril.ameritech.net 68.78.64.90
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.security:25704
| X-Tomcat-NG: microsoft.public.win2000.security
|
| You would also want to enable auditing of logon events on his workstation
| and any other computers/servers that the user may usually use looking for
| failed logon attempts with that account name on those computers. It could
| possibly be that the user is still logged onto another computer [Terminal
| Services or such] with an old password, that a mapped share with
persistent
| credentials is used with old/bad password, or a Scheduled Task is using
the
| users wrong password. Hopefully it is not a jokester on the network
because
| the lockout could be ocurring on any computer that has file and print
| sharing enabled and that would not show up in the domain controller logs
| like a bad attempt to logon the the domain interactivley would. The link
| below is excellent at tips on how to track such issues down about two
thirds
| the way down under heading of "Troubleshooting Account Lockout. --- Steve
|
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
|
| | > We are runnig W2K Domain. One of our users suddenly gets
| > locked out (regularly). I used EventComb to search all our
| > DC (we have almost 60) for some events.
| >
| > I'm able to find events 642 and 644. Also I can see events
| > 675 (failure code 18) and 681 (error code 3221226036).
| >
| > It means that I can find the moment when the account is
| > locked, but I need also to know why! So I need to find
| > some events 675 or 681 with code 24 or 3221225578.
| >
| > Can anyone advice where to look or what to switch on,
| > etc...
| >
| > Any hint is appreciated.
| >
| > Michal
|
|
|
