Printable View
Hi,
there is an employee in my company and her account in the active directory is getting locked out time and again. The machine has Win 2K professional service pack 4. also she doesnot make any mistake while typing in her password, so no log in failures. can some one help. Is any one else trying to access her account also ?
MRG.
have you tried looking at her machine and making sure that she does not have any password saved. also look at the secuirty logs on the DC and see if she is logged in on another terminal with an old password.
The account lockout threashold is being triggered. It seems that indeed someone else is attempting to use her credentials. Give the AD admins a call and have them start logging the account. This way they can see when the failed attempts are made.
--TH13
That is normally the first indication of a would be intruder. Does the event log have several failed login attempts outside the normal lockout duration? This intruder could be trying to access her machine or elevate privy, or she is trying to elevete privy (priveledge) to other machines and AD is locking her out. As usual the logs will tell.
Often one of the many new worms going around will hammer away at common accounts trying to guess the password. Remember this does not have to be from the users workstation per se.
Check workstations task manager for strange .exe's running.
Make sure logging is turned on for failed login attempts.
Event viewer will report the failure and each entry will also contain with IP/HOSTNAME/Netbios name of the node attempting the login.
Another possibility is a service is setup to use that users account to start and if a password has recently changed, often the password info in the service profile is not changed. Check that too.
What AV software is running on the workstations? Make sure patterns are updated.
Make sure the user doesn't have a scheduled job like a backup or similar running in her context. If she has and she recently changed the password then the password for the job needs to be changed.
That's the most usual way to get these type of lockout IME.
I did give a call ,, Meanwhile i have one more question, With another employee, todaybmorning when he tried to log in he got an error saying the account for your computer doesnot exist or your password is incorrect, Then his machine was brought down from the domain and re joined in the domain. Now he said that he was able to logg in correctly till yesterday night, today morning this problem arises, The domain admins have no idea as to why his computer was disjoined from the domain.
please help.
MRG.
Another possibility is a service is setup to use that users account to start and if a password has recently changed, often the password info in the service profile is not changed. Check that too.
How do i do that, is this by going into administrative tools and then checking which service ?
Thanks
MRG.
In the services manager, you can look at each service to see which account is used to start the service.Quote:
Originally posted here by mrg81
Another possibility is a service is setup to use that users account to start and if a password has recently changed, often the password info in the service profile is not changed. Check that too.
How do i do that, is this by going into administrative tools and then checking which service ?
Thanks
MRG.
Look at the "log on as" section to see which account is used.
If you need to edit the info, double click the service and choose the "log on" tab.
I did that, Every service that I clicked on said local system account.
MRG.
Okay well let us know what the event viewer is reporting for failed login attempts for that user.Quote:
Originally posted here by mrg81
I did that, Every service that I clicked on said local system account.
MRG.
Are there any holes in your firewall that would allow someone/something to attempt to login
from elsewhere in the world?
VPN access?
Terminal Services?
VNC or similar remote access services like PC Anywhere?
The following is reported by event viewer:
windows was unable to determine the user or the computer error code (1326), there are no terminal services, VPN access or anr remote access services.
MRG.
Could be someone trying to access the pc via shares or root share using her credentials?
Your network admins don't care? fking morons, I would be all over that PC and your dept. :)
No one is trying to do that. accessing pc via shares or root share using her credentials.
I'm not quite sure what type of help you are trying to get here.Quote:
Originally posted here by mrg81
No one is trying to do that. accessing pc via shares or root share using her credentials.
Many of us have been quite helpful with information and you don't seem to be doing much
legwork on your end.
Its very difficult to spoonfeed you exact solutions from afar.
Your replies to information requests had been very limited.
Posting the exact syntax of an event from your event viewer could be helpful.
For instance:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 676
Date: 7/7/2004
Time: 12:18:24 PM
User: NT AUTHORITY\SYSTEM
Computer: Authorizing Servername
Description:
Authentication Ticket Request Failed:
User Name: someuser
Supplied Realm Name: domainname
Service Name: krbtgt/domainame
Ticket Options: 0x40810010
Failure Code: 0x17
Client Address: IP Address of node attempting to login
Do you see entries like this or other similar entries in the security event log?
Make sure you are viewing a log of either an AD Server or the machine taking authentication requests on your LAN. The users workstation won't hurt either.
its kinda stupid, but pc is at domain, right?
when user try to login, can you see domain name list on domain box?
other domain users can login on this computer? (regular users)
I am sorry if I didn't post proper reply, I did viwe the logb of ad sever, there is nothing in security, The only message that I see is in the application part of event viewer on the employees machine who is having the problem,
The error:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 7/7/2004
Time: 12:18:24 PM
User: NT AUTHORITY\SYSTEM
Computer: Authorizing Servername
Description:
Windows cannot determine the user or computer name(1316)
Thanks,
MRG.
No need to be sorry....Quote:
Originally posted here by mrg81
I am sorry if I didn't post proper reply, I did viwe the logb of ad sever, there is nothing in security, The only message that I see is in the application part of event viewer on the employees machine who is having the problem,
The error:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 7/7/2004
Time: 12:18:24 PM
User: NT AUTHORITY\SYSTEM
Computer: Authorizing Servername
Description:
Windows cannot determine the user or computer name(1316)
Thanks,
MRG.
My post is just an FYI...:)
Well let's turn on logging 1st.
On an AD server, goto domain security policy snap in
goto the local policies / audit policies section
enable at least failure on the audit account logon events section
review your security logs for any failed attempts
see if that nets you any info.
We get this alot. It happens when a user account is logged onto more than one machine and the password expires.
UserA is logged on MachineA and MachineB. When the password expires they'll change it on machineA but are still logged on MachineB (with the 'old' credentials). Make sure she's logged out on *all* machines before she changes her password.
You can verify this by enabling auditting on failed logon attempts (set this in the domain policy). Then check the security eventlogs of the DCs.
Auditting should have been turned on anyway if you care about the security of your network. Eventhough MS is bashing us with their Trustworthy Computing initiative auditting is still turned off by default. How trustworthy is that?!?
if SirDice is correct, please (please please please) stop with that shared userid. This is the worst idea ever
NO that employee says that he has not logged in to any other machine, I have enabled logging in DC , But I don't see any thing in security. Also I have reset his password to the original one, Will this work ? Also If I delete the pwd file from his machine will that be useful ?
Thanks,
MRG.
hehe. Shared useraccounts are truly a bad idea.
That's why we have a policy that defines that a userID is stricly personal.
It's for the protection of the user. Not because we like to bash on lusers (at least that's what we tell "them" ;) )
If something happens and we trace it back to a user ID the owner of that ID will be the one that's going to get the blame. If that users happens to share his/hers ID with someone else it's their problem. We still blame the owner of the ID (and he/she could get fired).
[edit]
PWD file?!?!?! There are NO such files on WinNT/2K/XP/2K3
Resetting the password doesn't help. The account will still get locked out.
[/edit]
i am sorry for asking about the PWD file. Reseting the password back to the original one helped till now (touchwood) no locking up account again.
MRG.
This works because the "other" machine is still logged on with that same old password. You'll soon run into trouble again when the password expires.