Accounts locked

  • Thread starter Thread starter dechomai
  • Start date Start date
D

dechomai

Couple of users (domain admin) are getting an account
lock out very frequently. One is getting the account
lock every morning, but after it is unlocked it last for
the whole day, but coming the next day the account is
locked again. Recently I applied the domain account
lockout policy and it is set to lock accounts after 3 bad
logons. Any suggestion?

Thanks,

Dechomai
 
One case where I have seen this happening is where the user manually maps a
drive to be persistent (reconnect at logon). Then the user changes his
password (or is forced by the policy to do so). The mapped drive will try
to reconnect with the credentials originally provided when the drive was
mapped. Each mapped drive will cause a "hit" against the bad password
count.

There is a tool that is very useful in the diagnosis of this type of
problem. The account lockout tool is available for download from microsoft
(I don't have the URL).

hope this helps.

Bruce
 
Set your account lockout threshold to at least ten as suggested by Microsoft if
you are requiring your users to use complex passwords which will still protect
you from brute force attacks.. In some situations one failed logon can generate
multiple events to the counter on the domain controller and lock the user out.
Common reasons for account lockouts are old user credentials used for a logon to
another computer that was never logged off [including Terminal Servers] ,
persistent mapped drives, Scheduled Tasks, used for service authentication, or
stored/cached by an application requiring user credentials. The link below goes
into more detail on what can cause account lockouts and how to track them
own. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
 
Couple of users (domain admin) are getting an account
lock out very frequently. One is getting the account
lock every morning, but after it is unlocked it last for
the whole day, but coming the next day the account is
locked again. Recently I applied the domain account
lockout policy and it is set to lock accounts after 3 bad
logons. Any suggestion?

Thanks,

Dechomai
Click to expand...


An scheduled task running in their account context?


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
Back
Top