G
Guest
Hi All,
We are in Windows 2000 mixed mode. User accounts are on Child domain. Now a
days there is a huge increase in the number of account lockout calls that the
helpdesk is recieving.
The settings are like this,
Account lockout duration = 0 (an administrator must unlock the account)
Account lockout threshold = 5 invalid logon attempts
Reset account lockout counter after = 15minutes
I have tried to use account lockout tools to find out the root cause. I
found that subsequent wrong credentials are being passed by the end users but
according to them they have typed the password only once, it is also noted
that while they are working all of a sudden their accounts are getting
lockedout!
I have enabled netlong logging on PDC Emulator but it did not give any hint.
I was also referring to the technet article,
http://technet2.microsoft.com/windo...3eab-4eaf-9bff-9f0d058d4fc31033.mspx?mfr=true
there are a few things I want to clarify,
Article says Many programs cache credentials or keep active threads that
retain the credentials after a user changes their password.
1)How do I find out the applications which are creating problems? May be IE
I if the user selects the option save password), can anyone help me in this?
2)Bad Password Threshold is set too low: This is one of the most common
misconfiguration issues. Many companies set the Bad Password Threshold
registry value to a value lower than the default value of 10. If you set this
value too low, false lockouts occur when programs automatically retry invalid
passwords. Microsoft recommends that you leave this value at its default
value of 10. For more information, see "Choosing Account Lockout Settings for
Your Deployment" in this document.
In our environment Bad Password Threshold is set to 5. But my question is
regarding the value 10 which is given in the article. Is there any specific
reason why a value of 10 is recommended? and what does it mean by false
lockout?
3)Persistent drive mappings: Persistent drives may have been established
with credentials that subsequently expired. If the user types explicit
credentials when they try to connect to a share, the credential is not
persistent unless it is explicitly saved by Stored User Names and Passwords.
Every time that the user logs off the network, logs on to the network, or
restarts the computer, the authentication attempt fails when Windows attempts
to restore the connection because there are no stored credentials.
Who does net use differ by map network drive from GUI?
Is persistant drive mappings are not recommended?
One more thing I have noticed is that these issues are coming from Windows
2000 professional with SP4, not from XP professional and our DCs are Windows
2000 with SP4.
Any help and pointers are highly appreciated.
We are in Windows 2000 mixed mode. User accounts are on Child domain. Now a
days there is a huge increase in the number of account lockout calls that the
helpdesk is recieving.
The settings are like this,
Account lockout duration = 0 (an administrator must unlock the account)
Account lockout threshold = 5 invalid logon attempts
Reset account lockout counter after = 15minutes
I have tried to use account lockout tools to find out the root cause. I
found that subsequent wrong credentials are being passed by the end users but
according to them they have typed the password only once, it is also noted
that while they are working all of a sudden their accounts are getting
lockedout!
I have enabled netlong logging on PDC Emulator but it did not give any hint.
I was also referring to the technet article,
http://technet2.microsoft.com/windo...3eab-4eaf-9bff-9f0d058d4fc31033.mspx?mfr=true
there are a few things I want to clarify,
Article says Many programs cache credentials or keep active threads that
retain the credentials after a user changes their password.
1)How do I find out the applications which are creating problems? May be IE
I if the user selects the option save password), can anyone help me in this?
2)Bad Password Threshold is set too low: This is one of the most common
misconfiguration issues. Many companies set the Bad Password Threshold
registry value to a value lower than the default value of 10. If you set this
value too low, false lockouts occur when programs automatically retry invalid
passwords. Microsoft recommends that you leave this value at its default
value of 10. For more information, see "Choosing Account Lockout Settings for
Your Deployment" in this document.
In our environment Bad Password Threshold is set to 5. But my question is
regarding the value 10 which is given in the article. Is there any specific
reason why a value of 10 is recommended? and what does it mean by false
lockout?
3)Persistent drive mappings: Persistent drives may have been established
with credentials that subsequently expired. If the user types explicit
credentials when they try to connect to a share, the credential is not
persistent unless it is explicitly saved by Stored User Names and Passwords.
Every time that the user logs off the network, logs on to the network, or
restarts the computer, the authentication attempt fails when Windows attempts
to restore the connection because there are no stored credentials.
Who does net use differ by map network drive from GUI?
Is persistant drive mappings are not recommended?
One more thing I have noticed is that these issues are coming from Windows
2000 professional with SP4, not from XP professional and our DCs are Windows
2000 with SP4.
Any help and pointers are highly appreciated.