Account lock out
Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Account lock out

  1. #1
    Senior Member
    Join Date
    Mar 2004
    Posts
    113

    Account lock out

    Hi,

    there is an employee in my company and her account in the active directory is getting locked out time and again. The machine has Win 2K professional service pack 4. also she doesnot make any mistake while typing in her password, so no log in failures. can some one help. Is any one else trying to access her account also ?

    MRG.

  2. #2
    Junior Member
    Join Date
    Jun 2004
    Posts
    14
    have you tried looking at her machine and making sure that she does not have any password saved. also look at the secuirty logs on the DC and see if she is logged in on another terminal with an old password.

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    The account lockout threashold is being triggered. It seems that indeed someone else is attempting to use her credentials. Give the AD admins a call and have them start logging the account. This way they can see when the failed attempts are made.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    That is normally the first indication of a would be intruder. Does the event log have several failed login attempts outside the normal lockout duration? This intruder could be trying to access her machine or elevate privy, or she is trying to elevete privy (priveledge) to other machines and AD is locking her out. As usual the logs will tell.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Often one of the many new worms going around will hammer away at common accounts trying to guess the password. Remember this does not have to be from the users workstation per se.
    Check workstations task manager for strange .exe's running.


    Make sure logging is turned on for failed login attempts.

    Event viewer will report the failure and each entry will also contain with IP/HOSTNAME/Netbios name of the node attempting the login.

    Another possibility is a service is setup to use that users account to start and if a password has recently changed, often the password info in the service profile is not changed. Check that too.

    What AV software is running on the workstations? Make sure patterns are updated.

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Make sure the user doesn't have a scheduled job like a backup or similar running in her context. If she has and she recently changed the password then the password for the job needs to be changed.

    That's the most usual way to get these type of lockout IME.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Posts
    113
    I did give a call ,, Meanwhile i have one more question, With another employee, todaybmorning when he tried to log in he got an error saying the account for your computer doesnot exist or your password is incorrect, Then his machine was brought down from the domain and re joined in the domain. Now he said that he was able to logg in correctly till yesterday night, today morning this problem arises, The domain admins have no idea as to why his computer was disjoined from the domain.

    please help.

    MRG.

  8. #8
    Senior Member
    Join Date
    Mar 2004
    Posts
    113
    Another possibility is a service is setup to use that users account to start and if a password has recently changed, often the password info in the service profile is not changed. Check that too.

    How do i do that, is this by going into administrative tools and then checking which service ?

    Thanks

    MRG.

  9. #9
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Originally posted here by mrg81
    Another possibility is a service is setup to use that users account to start and if a password has recently changed, often the password info in the service profile is not changed. Check that too.

    How do i do that, is this by going into administrative tools and then checking which service ?

    Thanks

    MRG.
    In the services manager, you can look at each service to see which account is used to start the service.

    Look at the "log on as" section to see which account is used.
    If you need to edit the info, double click the service and choose the "log on" tab.

  10. #10
    Senior Member
    Join Date
    Mar 2004
    Posts
    113
    I did that, Every service that I clicked on said local system account.

    MRG.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •