Announcement

Collapse
No announcement yet.

Users Account's locked out

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Users Account's locked out

    Hello,

    We have some users who get their account locked out every 15 min approximately. So then the admin need to get to Ad and unlock every user that get locked out.

    I used Alockout tool. This tool creates a log file that can help you diagnose the cause of account lockout problems.

    I attached 2 log files it created , so someone can check and tell me what's the reason they get lockout.
    I couldnt understand why..
    waiting to hear some ideas what to check..
    I checked gpo and saw there is a lockout of machines every 15 min, someone configured it the screensaver lockout. Maybe it is cause issues for some users?

    thanks
    Attached Files

  • #2
    Re: Users Account's locked out

    Hi,


    You need to enable netlogon flag on pdc. This will generate a log file this log file should contain occurence of account log out . for ex you enabled the logging and after which the account gets locked.

    http://support.microsoft.com/kb/109626

    make sure to turn off the logging.

    upload that one which is generate at pdc.
    Thanks & Regards
    v-2nas

    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
    Sr. Wintel Eng. (Investment Bank)
    Independent IT Consultant and Architect
    Blog: http://www.exchadtech.blogspot.com

    Show your appreciation for my help by giving reputation points

    Comment


    • #3
      Re: Users Account's locked out

      Cannot find anything in the log that clearly show the reason why the user keep locking-out.
      The logs are both recorded on one of the desktop computers and the specific user was logged on, correct?

      What Operating system is on the client(s)?
      What are the values of 'LockoutThreshold' and 'ObservationWindow' (Reset account lockout counter after...) of the domain Account Lockout Policy.

      Do the users perhaps usee portable devices that connects to the netwerk (i.e. checking mail using smartphone)?


      \Rems
      Last edited by Rems; 21st December 2010, 12:33.

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment


      • #4
        Re: Users Account's locked out

        This is what i did : NLParse.exe tool, open the folder you specified during setup for ALTools, double-click Nlparse.exe, click Open to open the Netlogon.log file that you want to parse, select the check boxes for the status codes that you want to search for, and then click Extract. After you do this, view the output from the NLParse.exe tool. Typically, you may want to look at both the 0xC000006A and 0xC0000234 code statuses to determine from where the lockouts are coming.


        The issue happens for those users only :

        orna
        zoharv
        ron
        tal
        einal_l


        I attached zip file with the logs.

        someone can check and tell me why the lockout is happening..

        thanks
        Attached Files

        Comment


        • #5
          Re: Users Account's locked out

          Can you poweroff the DANSHAREXCH1 domain controller for ~60 minutes (Is Exchange Server xxx(?) running on this machine?).
          While DANSHAREXCH1 is down, reboot the users client before they logon. Are the accounts still locking-out when DANSHAREXCH1 is unavailable?

          These accounts are they always and only using the same client computer? The affected computers are they all WinXP 32bit SP3?
          When does the lock-out started to happen, was there something changed on the network, i.e. a new switch?

          What OS is on the DCs? Are they all three virtual machines?


          \Rems
          Last edited by Rems; 22nd December 2010, 19:00.

          This posting is provided "AS IS" with no warranties, and confers no rights.

          __________________

          ** Remember to give credit where credit's due **
          and leave Reputation Points for meaningful posts

          Comment


          • #6
            Re: Users Account's locked out

            Hi,

            Do you have any drive mapping to dansharexch1, if yes, then upmap the drives and reboot the clients and then map them again.

            After this monitor if the issue persist.
            Thanks & Regards
            v-2nas

            MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
            Sr. Wintel Eng. (Investment Bank)
            Independent IT Consultant and Architect
            Blog: http://www.exchadtech.blogspot.com

            Show your appreciation for my help by giving reputation points

            Comment


            • #7
              Re: Users Account's locked out

              Hello,

              There is no mapping to dansharexch1

              dansharexch1 f is DC and Exchange

              The users that get lockout use the same computer, some not.

              all dcs are windows 2003

              only
              dansharexch1 is is virtual and is also exchange.

              what else need to be checked ?


              Comment


              • #8
                Re: Users Account's locked out

                Are the accounts still locking-out when DANSHAREXCH1 is shutdown?

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: Users Account's locked out

                  Hi,

                  can you explain your domain env a bit? Sorry shud have asked you in first place.
                  how many dc, domains, remote users, or all local users

                  If it's just a single forest and domain i would like you to do this again.

                  Check which is the logon server for your client using set l

                  on that server enable logging for netlogon. (that shud be your dc)

                  Enable that netlogon on pdc

                  Wait for account lockout to happen

                  stop the logging and upload the files again.

                  i went thru entire Account lockout whitepaper . It also suggest enabling auditing on account lockouts however for now i will keep it on side. hope we get to the root cause and resolve your issue
                  Thanks & Regards
                  v-2nas

                  MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                  Sr. Wintel Eng. (Investment Bank)
                  Independent IT Consultant and Architect
                  Blog: http://www.exchadtech.blogspot.com

                  Show your appreciation for my help by giving reputation points

                  Comment


                  • #10
                    Re: Users Account's locked out

                    Helo,

                    I shut down dansharexch1 Dc
                    and the issue no longer exists.
                    This Dc is also the email server of the company.

                    what is my next step...


                    thanks

                    Comment


                    • #11
                      Re: Users Account's locked out

                      Are these users also locking-out when their dedicated client computer is powered-off?

                      Check the event logs on dansharexch1 for errors.
                      Make sure dansharexch1 is a Global Catalog Server. (However since there are three dc's in the domain, I would consider demoting dansharexch1, and metadata cleanup. - Because it is a virtual machine for load balancing control it would be better to separate the two, Is dansharexch1 also a dns server?. Also because of the the fact Microsoft that does not recommend to install exchange on a dc).

                      From the netlogon log we know that for the 5 user accounts, a bad password is being passed periodically.
                      Return code:
                      0xC000006A = User logon with Misspelled or bad Password
                      0xC0000234 = User logon with Account Locked

                      What's remarkable is the user autentication is not from the user's client but from DANSHAREXCH1 and via DANSHAREXCH1. Obviously it is Exchange server authenticating the user access against the DC (both roles are on the same machine). Most likely somewhere cached 'old' credentials are passed from a device to access the mailbox.

                      On a Windows Server 2003 you can find the tool cmdkey.exe. Run cmdkey.exe /list from a dos-box on DANSHAREXCH1 just to make sure.
                      Then copy this tool to one of the clients, i.e. RON-XP (I've noticed there is also a RON-VISTA) to find out if there are stored credentials on the clients. Run it while the user is logged on.


                      \Rems
                      Last edited by Rems; 27th December 2010, 12:38.

                      This posting is provided "AS IS" with no warranties, and confers no rights.

                      __________________

                      ** Remember to give credit where credit's due **
                      and leave Reputation Points for meaningful posts

                      Comment


                      • #12
                        Re: Users Account's locked out

                        Hi,

                        Power on your dansharexch1. As per silent2k11 this server is also performing the role of email service for the company so demoting won't be a good choice.

                        I see in the pervious netlogon logs that logon type is Transistive although it's your Authenticating DC as well but seems like there is some process or service throwing the creds

                        Actually in authentication chain you should see event something like this
                        29-Mar 14:28:31 Network logon Tailspintoys\User1 Computer-006 0xC000006A

                        codes can be different.
                        Thanks & Regards
                        v-2nas

                        MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                        Sr. Wintel Eng. (Investment Bank)
                        Independent IT Consultant and Architect
                        Blog: http://www.exchadtech.blogspot.com

                        Show your appreciation for my help by giving reputation points

                        Comment


                        • #13
                          Re: Users Account's locked out

                          Originally posted by v-2nas View Post
                          As per silent2k11 this server is also performing the role of email service for the company so demoting won't be a good choice.
                          Chears v-2nas!
                          It is true, if you would run dcpromo on a DC (or on any server) with Exchange installed you will break Exchange. You have to migrate Exchange first.

                          \Rems
                          Last edited by Rems; 13th January 2011, 14:56.

                          This posting is provided "AS IS" with no warranties, and confers no rights.

                          __________________

                          ** Remember to give credit where credit's due **
                          and leave Reputation Points for meaningful posts

                          Comment

                          Working...
                          X