Administrator Account Locked Out

  • Thread starter Thread starter FireBob57
  • Start date Start date
F

FireBob57

I am running Win XP Pro SP2.

I have 2 user accounts, one named "Bob" (administrator), and one (limited
user)

Periodically, when logging on my account, I enter my password and get a
message that my account has been locked out- please contact your
administrator. I may or may not be able to sign on using the limited account-
occasionally it is also locked out.

Rebooting (restart or power-on), the Welcome Screen shows "Administrator" in
place of "Bob", and the limited user account is either intact, or missing
(inconsistent symptom).
The "Administrator" account accepts the "Bob" account password, then Windows
begins to load "personalized settings" that do not match the "Bob" account
settings, i.e., desktop wallpaper, shortcuts, My Documents, My Pictures, etc.
Windows also treats this account as a new user, offering a tour of XP, etc.
However, all IE6 favorites, history, cookies, and OE6 address book entries,
as well as email settings and folders, match the "Bob" account. It's as if
Windows doesn't know me upon logon, but recognizes me afterwards.

The only way I have found to recover is to do a system restore. This is
usually successful, but at times I get a message that says "...cannot restore
to selected restore point, no changes have been made." Ironically, if I
reboot again, the "Bob" account may appear again.

Now, my suspicions. If this info muddies the water, please disregard.

I am not positive, but I believe this began after downloading and installing
IE7 a few weeks ago. I did not like the IE7 interface, so I attempted to
uninstall it. I was concerned that uninstalling IE7 would leave me without a
browser instead of rolling me back to IE6. Therefore, I did a system restore
prior to IE7. A few days later, this problem surfaced, perhaps after I
rebooted.

I hope I conveyed this information clearly. Thanks in advance for your help.

Bob
 
FireBob57 said:
I am running Win XP Pro SP2.

I have 2 user accounts, one named "Bob" (administrator), and one (limited
user)

Periodically, when logging on my account, I enter my password and get a
message that my account has been locked out- please contact your
administrator. I may or may not be able to sign on using the limited account-
occasionally it is also locked out.

Rebooting (restart or power-on), the Welcome Screen shows "Administrator" in
place of "Bob", and the limited user account is either intact, or missing
(inconsistent symptom).
The "Administrator" account accepts the "Bob" account password, then Windows
begins to load "personalized settings" that do not match the "Bob" account
settings, i.e., desktop wallpaper, shortcuts, My Documents, My Pictures, etc.
Windows also treats this account as a new user, offering a tour of XP, etc.
However, all IE6 favorites, history, cookies, and OE6 address book entries,
as well as email settings and folders, match the "Bob" account. It's as if
Windows doesn't know me upon logon, but recognizes me afterwards.

The only way I have found to recover is to do a system restore. This is
usually successful, but at times I get a message that says "...cannot restore
to selected restore point, no changes have been made." Ironically, if I
reboot again, the "Bob" account may appear again.

Now, my suspicions. If this info muddies the water, please disregard.

I am not positive, but I believe this began after downloading and installing
IE7 a few weeks ago. I did not like the IE7 interface, so I attempted to
uninstall it. I was concerned that uninstalling IE7 would leave me without a
browser instead of rolling me back to IE6. Therefore, I did a system restore
prior to IE7. A few days later, this problem surfaced, perhaps after I
rebooted.

I hope I conveyed this information clearly. Thanks in advance for your help.

Bob

Looks like someone has been trying to hack into your host. After a
threshold of number of failed attempts, Windows will lockup the login to
force the hacker to wait (which they usually won't do). For local
accounts, you can see these settings by using the group policy editor
(gpedit.msc) and going to:

Computer Configuration
Windows Settings
Security Settings
Account Policies
Account Lockout Policy

Account Lockout Duration is how long loggin in is disabled once there is
a lockout. I have mine set for 15 minutes because I'm in a very small
network with few users and I'm only interested in thwarting outside
hacking attempts (if they manage to get past the router's firewall).
Account Lockout Threshold is how many sequential failed login attempts
will trigger a lockout. Reset Account Lockout Counter After is how long
to reset the counter so it starts counting at 1 for the next failed
attempt. Mine is set for 5 minutes; for example, maybe your first 2
logins failed but you wait 5 minutes, or more, so just in case your 3rd
attempt fails it will be the first one in the count threshold.

http://support.microsoft.com/kb/297157/en-us (old)
http://support.microsoft.com/search/default.aspx?&query=account+lockout+policy

You might want to enable auditing for failed logins. I'm not familiar
with the event that gets recorded and seen in Events Viewer so I don't
know if the audit event provides sufficient information to determine who
is trying to hack into your box. This might be something you bring up
with your IT folks to have them sniff their network regarding connection
attempts to your host.

If you have the policy configured to show the username in the login
screen of the last user that logged in and it is now different, someone
tried to use that other account to get into your box. Do you have
Remote Desktop, TeamViewer, some flavor of VNC, or other remote access
program enabled on your host to let someone have remote access to your
box who is trying to repeatedly login until they lock it up?
 
Vanguard,

Thanks for replying to this post.

First, my PC is a home/ personal computer. Two users are assigned IDs. The
only other access would be from the web- someone trying to hack me. I am
using Trend Micro Internet Security 2008 (have used Trend for ten years), and
this problem surfaced while using the 2007 version. I use Trend's firewall
and per their suggestion, Windows firewall is disabled due to potential
conflicts. I do regular updates and scans, and nothing is detected except
Spyware cookies, but I have to wonder if Trend is failing to detect a worm,
Trojan Horse, or virus.

The following are my current logon security parameters:

Account lockout duration 30 minutes
Account lockout threshold 3 invalid logon attempts
Reset account lockout counter after 30 minutes

So, to clarify your reply- Are you saying that this problem can be caused by
an "outsider" trying to hack my PC from the web?
If yes, does the fact that I get locked out of my account indicate that the
hacker failed to gain access to my hard drive?

Looking at Trend's firewall logs, there are a considerable number of entries
logged during every internet session, but I have never seen a warning appear
while surfing that my firewall was breached (not sure I would even receive a
warning).

Finally, the next time this problem arises, I will wait the prescribed time
to allow the security timers to reset and see if that is what is actually
occurring.
 
FireBob57 said:
Vanguard,

First, my PC is a home/ personal computer. Two users are assigned IDs.

Besides the Administrator account (that you don't create and cannot
delete), you have 2 accounts defined. Presumably one is for you. Who
is the other account for?

Are there kids in the house that have physical access to your computer?
When you aren't at the computer, is it locked in a room to which no one
else has physical access? Do you live alone?
The following are my current logon security parameters:

Account lockout duration 30 minutes
Account lockout threshold 3 invalid logon attempts
Reset account lockout counter after 30 minutes

You may have to wait up to 30 minutes to wait for the lockout to expire.
When you are the computer and it is locked out, yank the network cable
from the computer or turn off your wireless router/hub to make sure no
one is trying to login while you are waiting for the lockout to expire.
So, to clarify your reply- Are you saying that this problem can be caused by
an "outsider" trying to hack my PC from the web?

That outsider may be someone else in your own home. I don't know your
living arrangements. I don't know if it is a stationary desktop
computer or a laptop that you tote around (and leave unattended).
If yes, does the fact that I get locked out of my account indicate that the
hacker failed to gain access to my hard drive?

They failed to login into Windows, failed 3 times, and Windows locked
out any further login attempts for 30 minutes. If someone has physical
access to your computer, they also have physical access to your hard
drive unless you have locked the case.

To audit failed login attempts, you can enable auditing by running the
policy editor (gpedit.msc) and go under:

Computer Configuration
Windows Settings
Security Settings
Local Policies
Audit Policy

Audit logon events
Select the check for "Failure"
 
Who
is the other account for?
My wife

Are there kids in the house that have physical access to your computer?
When you aren't at the computer, is it locked in a room to which no one
else has physical access? Do you live alone?

My 15 yr old son USED to have access. I deleted his account due to his
visiting My Space, cheat code sites, gaming sites, etc. This problem began
during his tenure, and seemed to get worse long after I deleted his account.
I can assure you no one in this house is trying to access my account. Any
hacking attempts would have to be coming from the outside.

You may have to wait up to 30 minutes to wait for the lockout to expire.
When you are the computer and it is locked out, yank the network cable
from the computer or turn off your wireless router/hub to make sure no
one is trying to login while you are waiting for the lockout to expire.

I changed these parms to 15 minutes, and two password attempts. I have no
network/ router/ wireless.
That outsider may be someone else in your own home. I don't know your
living arrangements. I don't know if it is a stationary desktop
computer or a laptop that you tote around (and leave unattended).

Just my wife and son. He does not attempt to access this PC anymore because
he doesn't know the passwords, not to mention he is strictly forbidden. I
know this is not an absolute guarantee, but he is a good kid and I trust him
that far. He also is not computer savvy in the least.
My PC is a desktop
They failed to login into Windows, failed 3 times, and Windows locked
out any further login attempts for 30 minutes. If someone has physical
access to your computer, they also have physical access to your hard
drive unless you have locked the case.

Perhaps I should clarify some items. This problem can occur first thing in
the morning, when the computer has been idle overnight, and disconnected
(though not physically). I am home during the day while the family is away to
work/ school. The lockout will also occur during the day when I haven't been
on it for hours.
Additionally, I have DSL, with a dedicated line from the street- not
connected to the phone line. I do not have a modem, the DSL cable connects
direcctly to my ethernet card. As such, I am able to connect/ disconnect as
if I was using a dialup connection ( same connection window). This PC is
seldom left connected while unattended and there is no correlation to the
lockout and connection status. Further, every time I sign on/ connect to the
web, my IP address changes- it is dynamically assigned, not static.
Finally, I have enabled Security Logging in the Event Viewer and will check
it often.
 
Another piece of information:

There are actually other accounts assisgned.
Guest- built in for guest users (disabled it yesterday)
Help Assistant- for remote desktop assistant (disabled it yesterday)
Support- Microsoft- vendor's account for help and support (disabled it
yesterday)
Support- Dell- vendor's account for help and support (disabled it yesterday)
I assume the two Support Accounts were created when I bought this PC. I am
pretty sure the Remote Support Account was created when I assisted a friend
using this function years ago. Who knows, but without your help I would have
never known they were there!
 
FireBob57 said:
Another piece of information:

There are actually other accounts assisgned.
Guest- built in for guest users (disabled it yesterday)
Help Assistant- for remote desktop assistant (disabled it yesterday)
Support- Microsoft- vendor's account for help and support (disabled it
yesterday)
Support- Dell- vendor's account for help and support (disabled it yesterday)
I assume the two Support Accounts were created when I bought this PC. I am
pretty sure the Remote Support Account was created when I assisted a friend
using this function years ago. Who knows, but without your help I would have
never known they were there!

Right-click on the My Computer desktop icon, Remote tab, and disable
both Remote Assistance and Remote Desktop.
 
Remote Desktop has always been disabled, I disabled Remote assistance a
couple days ago.
 
I created another account for myself and set it up as a limited user so I
wouldn't always be signed on as administrator. Yesterday I was doing
maintenance, logging on and off between those two accounts. I was not
connected to the web at the time. After a few iterations of this, suddenly
all accounts were locked out. I am guessing the lockout reset worked although
I didn't wait for it to reset. My wife was able to logon after she got home,
without rebooting as we have done in the past.

It appears something internal to this PC is causing this problem, and I am
suspicious of a Windows Update that was done around the time this problem
arose.
 
FireBob57 said:
I created another account for myself and set it up as a limited user so I
wouldn't always be signed on as administrator. Yesterday I was doing
maintenance, logging on and off between those two accounts. I was not
connected to the web at the time. After a few iterations of this, suddenly
all accounts were locked out. I am guessing the lockout reset worked although
I didn't wait for it to reset. My wife was able to logon after she got home,
without rebooting as we have done in the past.

It appears something internal to this PC is causing this problem, and I am
suspicious of a Windows Update that was done around the time this problem
arose.

Login lockout occurs only if there were *failed* login attempts.

Have you tried rebooting into safe mode and logging in and out between
accounts to see if the lockout happens? Don't use the "Bob" account
during this testing. Create 2 admin-level accounts and 2 restricted
accounts. Then try the switching between the 2 admin-level account by
logging off and on between them. Do the same with the 2 restricted
accounts. Then try logging off and on between an admin-level and
restricted account. I suspect you won't see the problem until you throw
the "Bob" account back into the mix.

It sounds like you are using fast user switching. That means multiple
accounts could be logged on at the same time (and eating up resources
for each at the same time). I never use fast user switching. It is one
of the first "features" that I disable after installing Windows XP.
That reverts me back to 1 active login at a time and instead of the
Fisher-Price Welcome Screen, I get the standard Windows Login dialog. I
don't go picking an account from a cutsy graphics screen but instead
enter my account name and password in the good old login prompt.
Control Panel -> User Accounts -> Change the way users log on and off,
deselect "Use the Welcome Screen". That also disables fast user
switching. Now test using the Administrator, Bob, and other accounts
where you use the standard login dialog to switch between accounts.

If reverting to single logins and using the standard (classic) login
dialog gets rid of the problem then the problem is not with corrupted
account profiles but instead with that fluff Welcome Screen.

To show or hide an account on the Welcome Screen:

- Run regedit.exe to edit the registry.
- Go to the following key in the leftside tree list:
HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
CurrentVersion
Winlogon
SpecialAccounts
UserList
- Right-click in the rightside pane (data items and their values) or use
the "Edit -> New -> DWORD value" menu to create a new DWORD item.
- Name the new item the same name as an account. For example, to add
the Administrator account, name the new data item as "Administrator" (no
quotes). The data item's name must match the name of an account.
- Set the value for the data item as follows:
0 = do not show in Welcome Screen
1 = show in Welcome screen
- Exit the registry edit.

When a new admin-level account is defined, the Administrator account
will get hidden on the Welcome Screen. Normally you would have to hit
Ctrl+Alt+Del twice in Windows XP Professional at the Welcome Screen or
reboot into Safe Mode for Windows XP Home Edition to see the
Administrator account login. Using this trick, you can re-add the
Administrator account to the Welcome Screen.

You're saying that sometimes Administrator shows up in place of Bob.
Well, if Administrator is no longer hidden by default (because Bob,
maybe, is an admin-level account) then both Administrator and Bob should
show up on the Welcome Screen.
 
That is some really good information, and it answers at least one mystery.
When the lockouts occur, my account is not "changing" to "Administrator",
mine is disappearing causing the hidden Administrator account to appear. When
my son had a limited account, my wife's account would disappear too, but his
would stay.

I will disable fast user switching, especially since there is an issue with
that as well. If two accounts are active at once, when the second account
logs off, the display resolution reverts to 640 X 480, and the screen looks
like a color reverse image. I have to reboot to resolve this.

I will try the safe mode recommendations you suggested and let you know.
Thanks for all the help and for hanging with me!
 
Vanguard,

I tried booting in Safe Mode, but I keep getting a "keyboard error" in the
boot process when pressing F8 that subsequently disables the keyboard. I
haven't investigated this problem much because I have been very busy the last
couple of weeks. I will pursue this as I can.
I just wanted to update you.
 
Back
Top