"Hector" <(E-Mail Removed)> wrote in message...
>I have a user that locks out there account a few times a day. I need to
>know where her account is being used. Is there A tool >or command that will
>allow me to view all the connection on the network with that account?
Problem: Locked out, single account in Windows domain is being locked out
over and over again
Known causes:
1) Logged on somewhere else in the network. The user is already persistently
logged into another computer somewhere else in the domain (such as in a
conference room, classroom or computer lab) after changing the password on
their regular machine.
2) Microsoft Outlook. An open application such as Microsoft Outlook on
another machine will periodically validate to the domain and if it uses an
invalid username/password combination this will lock the account out after
the specified number of retries.
3) Terminal Server session. A Terminal Server session could be open which is
attempting to authenticate using the old password.
Note: This machine could be outside of the network (open OWA session) or be
a laptop connected in over VPN.
4) Service Account. The user's account is running as a service on a computer
somewhere else in the network with old credentials.
5) Scheduled Task. A scheduled task on their computer is using old
credentials.
6) Drive mapping. A Drive mapping on machine is using old credentials.
7) A virus (such as a worm) has determined the user account is using a weak
password (such as blank or same as username) and is attempting to access
other resources on the network.
8) If you have raised the NTLM level on your DCs, and you try to log into a
workstation whose NTLM level is 0 your user account will be locked
immediately. The fix would be to raise the NTLM level on the workstation.
How to determine which machine(s) a user's account is logged into on the
domain:
1) Use the Symantec System Center (if available)
2) Use "psloggedon" from
http://www.sysinternals.com to determine if the
user account is logged into the domain anywhere else on the network. There
may be a service account somewhere using the account's old credentials.
3) Enable Account Auditing on the Domain Controllers GPO, to see who and
when is causing the lockouts. Enable auditing for following events:
Account Logon Events - Failure
Account Management - Success
Logon Events - Failure
4) In Windows 2000 (SP4) and Windows Server 2003 there is a tool called
lockoutstatus.exe which shows detailed info on which DC has locked-out the
account, as well as showing badPwsCount, and other useful information. If
you have Windows Server 2003 CD, then you will find this utility there. In
Windows NT 4.0 domains, lockouts were common when there were replication
problems between domain controllers. In an NT 4.0 domain, look at errors in
the Event Logs of the PDC and BDCs. Open Server Manager > highlight the PDC
> click on Computer > Synchronize the entire domain > check the system log
of the Event Viewer on all DCs to determine whether synchronization was
successful.
5) Look for Event ID 644 in the domain controller Security event log. That
should tell what machine requested the lockout.
http://mcpmag.com/forums/forum_posts.asp?tid=1504
See the link below for tips on account lockouts which includes how to use
netlogon logging to trace back the failed logon to the computer that
initiated the bad logon. Service accounts on domain computers that use a
domain admin credential is a dangerous security practice as the password for
those accounts can be easily recovered from a domain computer.
http://www.microsoft.com/downloads/d...displaylang=en
See also:
Using the Checked Netlogon.dll to Track Account Lockouts
http://support.microsoft.com/default...;en-us;Q189541
--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights
Similar Threads
Linear Mode
