Announcement

Collapse
No announcement yet.

User Account Lock Out Oddity

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User Account Lock Out Oddity

    So this is a weird development we've come across that I've been able to duplicate.

    Let's say a user logs into a workstation and the user get's locked out of the domain they can still access network resources without issue (email, shares, printers). If they lock their workstation they can still unlock it.

    However, if the user get's locked out before they login or after they lock the workstation they cannot login or unlock themselves.

    IN both instances I can see the user is locked at the appropriate servers they are authenticating to. Eventually that lock out gets replicated to the other DC's in the domain.

    I thought it had something to do with the IRPStackSize because one of the machines was having that issue. But that got resolved and I was able to duplicate it on another machine in an entirely different site.

    There is nothing specifically in the log on the workstation except that the user is locked out. However, they are still able to do the above. I'm really at a loss. I was able to install the User Account Lockout tool from MS. But I don't really see anything, either that or I don't know what to look at.
    GoogleFu is strong with this one ^

  • #2
    Re: User Account Lock Out Oddity

    Im pretty sure this is to do with kerberos Tickets, once the user is authenticated the Client will store the Session Key and TGT in Volatile memory the Ticket has a lifetime.

    so the client has pre-authenticated, work station locked and was able to open with saved session keys.

    in the reverse the client tried to log in, has no session key or has expired and authenticates with DC, DC says you are locked Go Away.


    This is how i believe it to work.

    There are some kerberos Tools avaliable to diagnose.
    MCSE 2003; MCTS Vista; Sec+; CCNA
    Attitude Makes The Difference!
    in other words you got to WANT to do it..

    Comment


    • #3
      Re: User Account Lock Out Oddity

      Second Ikon's suggestions, The tools in question are Kerbtray.exe and Klist.exe
      both part of the Windows resource kit but can be copied and used separately on the XP clients.
      One such good use of the Klist.exe could be when an employer has been dismissed with an immediate effect and you don't want them to access any resources, you can purge the tickets granted to them which will stop them from having access to the resources.
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment


      • #4
        Re: User Account Lock Out Oddity

        Originally posted by stamandster View Post
        Let's say a user logs into a workstation and the user get's locked out of the domain they can still access network resources without issue (email, shares, printers). If they lock their workstation they can still unlock it.
        What Os are you testing on ? Any chance your are still on XP SP2 or below ?
        If you are on XP SP2, does the hotfix from the following KB http://support.microsoft.com/kb/939850 change the behavior ?
        (ignore the title of the article - IIRC this is the latest kerberos.dll for XP SP2)
        Last edited by guyt; 9th October 2009, 18:36.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: User Account Lock Out Oddity

          Thanks for the pointed information fella's. I'll check on their service pack level. I'll do some more testing shortly.

          Thanks again. I'll update as soon as I do.
          GoogleFu is strong with this one ^

          Comment


          • #6
            Re: User Account Lock Out Oddity

            Alrighty so I've purged the tickets and I'm still able to do the mentioned above. I'll be installing the update shortly even though the box is Sp3.
            GoogleFu is strong with this one ^

            Comment


            • #7
              Re: User Account Lock Out Oddity

              Some more research into this issue...

              So I locked an account out and waited, and waited, waited 3 days. The user account is locked from the domain, the user locks the workstation, the user is able to log back into the workstation. However, thankfully, the user cannot access network shares or exchange.

              I think it has something to do with Computer Configuration > Windows Settings > Security Settings > Kerberos Policy

              Enforce User Logon Restrictions -- Enabled
              Maximum lifetime for service ticket -- 600 minutes
              Maximum lifetime for user ticket -- 10 hours
              Maximum lifetime for user ticket renewal -- 7 days
              Maximum tolerance for computer clock synchronization - 5 minutes

              I, however, never set these. This was in place before I got here.

              Also theres, which I don't think is affecting it but might as well put it out there, Computer Configuration > Windows Settings > Security Settings > Account Lockout Policy

              Account lockout Duration -- 99999 minutes
              Account lockout threshold - 3 invalid logon attempts
              Reset account lockout counter after -- 30 minutes

              Is this just default behavior that I have never, ever, noticed before?
              GoogleFu is strong with this one ^

              Comment


              • #8
                Re: User Account Lock Out Oddity

                I believe this is default behaviour, since the user is logged on the credentials are cached, the cahced crednetials are only destroyed at Log-off or when the machine shutsdown, unlocking the workstation uses cached credentials, unless unlocking the workstation as the Administartor then a full kerberos logon will take place with the DC.
                MCSE 2003; MCTS Vista; Sec+; CCNA
                Attitude Makes The Difference!
                in other words you got to WANT to do it..

                Comment


                • #9
                  Re: User Account Lock Out Oddity

                  here is something i just found that migth explain a little better.

                  http://207.46.16.252/en-us/magazine/...fidential.aspx
                  MCSE 2003; MCTS Vista; Sec+; CCNA
                  Attitude Makes The Difference!
                  in other words you got to WANT to do it..

                  Comment


                  • #10
                    Re: User Account Lock Out Oddity

                    Wow that's an excellent article. That really helps with understanding what's going on. I'll be doing some more testing to make sure that that's what it is.

                    Thanks again everyone.
                    GoogleFu is strong with this one ^

                    Comment

                    Working...
                    X