W2K domain account lockouts... not the obvious

  • Thread starter Thread starter Ted Klugman
  • Start date Start date
T

Ted Klugman

W2K native mode domain. All servers and workstations are at least SP3
(a couple SP4's here and there).

It seems that every mornig, a few user accounts are locked out.

Let's get the obvious out of the way first...

* Users are not logged in at multpile workstations. Users log in at
their workstations in the morning, and they log out at the end of the
day.
* Users are not logged in via Terminal Services. A couple remote users
do use TS, but this problem seems to affect ALL users. Additionally,
our TS boxes will tear down disconnected sessions that sit for more
than 4 hours.
* NOBODY has services or scheduled tasks running using their
credentials (except for a handful of service accounts... which don't
seem to get locked out)


Our login script maps a few drives:

* A couple drives to local servers on our domain
* Two drives to servers not on our domain -- there is no trust to the
foreign domain. The login script simply does a "net use x:
\\server\share /user:someusername password".
* All drives map fine.

Our domain policy dictates that the lockout threshold is 20 invalid
logins, and the lockout counter should be reset after 60 minutes.

We are auditing all account logon/logoff events on our domain
controllers. Periodically, during the day, Failure events will appear
for valid users. The users are NOT logging on to the network -- but
are simply doing various users tasks.

I've been using the LockoutStatus.exe utility that has been suggested
here, and I see that the BadPwdCount counters for various users are
increasing throughout the day. The counters increase at the same time
that we see a failure in the domain controller event logs.

I've installed the ALockout.dll file on a couple of workstations.
There is NO correlation between when the events occur in the event
logs and events listed in ALockout.txt.

I'm really at a loss here, and we're debating whether or not it would
be a waste to give Microsoft $245...

Any suggestions greatly appreciated.

TIA
 
Hi Ted,

Do you have Q8129499 installed on all of your DCs?

This is the latest Account Lockout Hotfix.
812499 You Cannot Change Your Password After an Administrator Resets It
http://support.microsoft.com/?id=812499

If you do not have this hotfix, please install it and than test to see if
you are still getting lockouts.

Thanks, Ted.

Diana.

(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top