User Account Lock Out Oddity

Home Forums Microsoft Networking and Management Services Active Directory User Account Lock Out Oddity

This topic contains 9 replies, has 4 voices, and was last updated by Avatar ikon 10 years, 2 months ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • Avatar
    stamandster
    Member
    #145041

    So this is a weird development we’ve come across that I’ve been able to duplicate.

    Let’s say a user logs into a workstation and the user get’s locked out of the domain they can still access network resources without issue (email, shares, printers). If they lock their workstation they can still unlock it.

    However, if the user get’s locked out before they login or after they lock the workstation they cannot login or unlock themselves.

    IN both instances I can see the user is locked at the appropriate servers they are authenticating to. Eventually that lock out gets replicated to the other DC’s in the domain.

    I thought it had something to do with the IRPStackSize because one of the machines was having that issue. But that got resolved and I was able to duplicate it on another machine in an entirely different site.

    There is nothing specifically in the log on the workstation except that the user is locked out. However, they are still able to do the above. I’m really at a loss. I was able to install the User Account Lockout tool from MS. But I don’t really see anything, either that or I don’t know what to look at.

    Avatar
    ikon
    Member
    #354253

    Re: User Account Lock Out Oddity

    Im pretty sure this is to do with kerberos Tickets, once the user is authenticated the Client will store the Session Key and TGT in Volatile memory the Ticket has a lifetime.

    so the client has pre-authenticated, work station locked and was able to open with saved session keys.

    in the reverse the client tried to log in, has no session key or has expired and authenticates with DC, DC says you are locked Go Away.

    This is how i believe it to work.

    There are some kerberos Tools avaliable to diagnose.

    Avatar
    L4ndy
    Member
    #276305

    Re: User Account Lock Out Oddity

    Second Ikon’s suggestions, The tools in question are Kerbtray.exe and Klist.exe
    both part of the Windows resource kit but can be copied and used separately on the XP clients.
    One such good use of the Klist.exe could be when an employer has been dismissed with an immediate effect and you don’t want them to access any resources, you can purge the tickets granted to them which will stop them from having access to the resources.

    Avatar
    guyt
    Member
    #193978

    Re: User Account Lock Out Oddity

    stamandster;183836 wrote:
    Let’s say a user logs into a workstation and the user get’s locked out of the domain they can still access network resources without issue (email, shares, printers). If they lock their workstation they can still unlock it.

    What Os are you testing on ? Any chance your are still on XP SP2 or below ?
    If you are on XP SP2, does the hotfix from the following KB http://support.microsoft.com/kb/939850 change the behavior ?
    (ignore the title of the article – IIRC this is the latest kerberos.dll for XP SP2)

    Avatar
    stamandster
    Member
    #280362

    Re: User Account Lock Out Oddity

    Thanks for the pointed information fella’s. I’ll check on their service pack level. I’ll do some more testing shortly.

    Thanks again. I’ll update as soon as I do.

    Avatar
    stamandster
    Member
    #280363

    Re: User Account Lock Out Oddity

    Alrighty so I’ve purged the tickets and I’m still able to do the mentioned above. I’ll be installing the update shortly even though the box is Sp3.

    Avatar
    stamandster
    Member
    #280364

    Re: User Account Lock Out Oddity

    Some more research into this issue…

    So I locked an account out and waited, and waited, waited 3 days. The user account is locked from the domain, the user locks the workstation, the user is able to log back into the workstation. However, thankfully, the user cannot access network shares or exchange.

    I think it has something to do with Computer Configuration > Windows Settings > Security Settings > Kerberos Policy

    Enforce User Logon Restrictions — Enabled
    Maximum lifetime for service ticket — 600 minutes
    Maximum lifetime for user ticket — 10 hours
    Maximum lifetime for user ticket renewal — 7 days
    Maximum tolerance for computer clock synchronization – 5 minutes

    I, however, never set these. This was in place before I got here.

    Also theres, which I don’t think is affecting it but might as well put it out there, Computer Configuration > Windows Settings > Security Settings > Account Lockout Policy

    Account lockout Duration — 99999 minutes
    Account lockout threshold – 3 invalid logon attempts
    Reset account lockout counter after — 30 minutes

    Is this just default behavior that I have never, ever, noticed before?

    Avatar
    ikon
    Member
    #354260

    Re: User Account Lock Out Oddity

    I believe this is default behaviour, since the user is logged on the credentials are cached, the cahced crednetials are only destroyed at Log-off or when the machine shutsdown, unlocking the workstation uses cached credentials, unless unlocking the workstation as the Administartor then a full kerberos logon will take place with the DC.

    Avatar
    ikon
    Member
    #354261

    Re: User Account Lock Out Oddity

    here is something i just found that migth explain a little better.

    http://207.46.16.252/en-us/magazine/2009.07.windowsconfidential.aspx

    Avatar
    stamandster
    Member
    #280365

    Re: User Account Lock Out Oddity

    Wow that’s an excellent article. That really helps with understanding what’s going on. I’ll be doing some more testing to make sure that that’s what it is.

    Thanks again everyone.

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.