User log on lock out policy does not function correctly in 2003

Hi all

I'm having a lot of trouble at the moment with users attempting to log on
and then maybe typing
their password incorrectly by accident and the system locks them out - this
happens on
win 98 clients (am not sure if it happens on the XP clients yet). I've tried
changing the lockout
policy but it doesn't seem to have made any difference.

Can anyone suggest anything on this?

Also, I've had alot of problems when users attempt to log on for the first
time and must change their password under the 98 clients, it changes it
but then returns them to the login screen (with the password filled in) and
then they try and log in and they can't log in.

If they shutdown the computer (Ctrl-Alt-Del) and then restart, 9 times out
of 10 they can log straight in but it seems that the computer, indeed all
the
98 computers have to restart before they recognise changes to user accounts
or something like that.

Running a 2003 domain as 2000 native - should I make it a "true" 2003
domain?
I have a NT 4 server that I intend to wipe and attach to the domain (as a
app server)
but dunno whether that'll work or not, but most concerned about the user
problems

Can anyone shed any light on these matters as I'm pulling my hair out over
these things
and we dont have the budget to get microsoft support to help us

Best regards to you all,

--
Nathan Harmsworth
IT / Network Administrator
Ysgol Bro Ddyfi (Edu)

Hi, Windows 98 have same problem with the password length search in the
Microsoft KB.

"Nathan H" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi all
>
> I'm having a lot of trouble at the moment with users attempting to log on
> and then maybe typing
> their password incorrectly by accident and the system locks them out -
> this
> happens on
> win 98 clients (am not sure if it happens on the XP clients yet). I've
> tried
> changing the lockout
> policy but it doesn't seem to have made any difference.
>
> Can anyone suggest anything on this?
>
> Also, I've had alot of problems when users attempt to log on for the first
> time and must change their password under the 98 clients, it changes it
> but then returns them to the login screen (with the password filled in)
> and
> then they try and log in and they can't log in.
>
> If they shutdown the computer (Ctrl-Alt-Del) and then restart, 9 times out
> of 10 they can log straight in but it seems that the computer, indeed all
> the
> 98 computers have to restart before they recognise changes to user
> accounts
> or something like that.
>
> Running a 2003 domain as 2000 native - should I make it a "true" 2003
> domain?
> I have a NT 4 server that I intend to wipe and attach to the domain (as a
> app server)
> but dunno whether that'll work or not, but most concerned about the user
> problems
>
> Can anyone shed any light on these matters as I'm pulling my hair out over
> these things
> and we dont have the budget to get microsoft support to help us
>
> Best regards to you all,
>
> --
> Nathan Harmsworth
> IT / Network Administrator
> Ysgol Bro Ddyfi (Edu)
>
>

Hi Jonathan

"Jonathan Cossio" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi, Windows 98 have same problem with the password length search in the
> Microsoft KB.

I presume you mean...

"Hi.
In Windows 98 have same problem with password length.
Have searched in the Microsoft KB"

if not, and you're telling me to search it, believe me I have and cant find
anything appropriate.

Can anyone help me (us)?

Regards
--
Nathan Harmsworth
IT / Network Administrator
Ysgol Bro Ddyfi (Edu)

Did you install DSClient if not try it:
http://support.microsoft.com/default...b;en-us;555038

"Nathan H" <(E-Mail Removed)> wrote in message
news:%23YH$(E-Mail Removed)...
> Hi Jonathan
>
> "Jonathan Cossio" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi, Windows 98 have same problem with the password length search in the
>> Microsoft KB.
>
> I presume you mean...
>
> "Hi.
> In Windows 98 have same problem with password length.
> Have searched in the Microsoft KB"
>
> if not, and you're telling me to search it, believe me I have and cant
> find
> anything appropriate.
>
> Can anyone help me (us)?
>
> Regards
> --
> Nathan Harmsworth
> IT / Network Administrator
> Ysgol Bro Ddyfi (Edu)
>
>

"Jonathan Cossio" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Did you install DSClient if not try it:
> http://support.microsoft.com/default...b;en-us;555038
>

Yep...done that, not that it has much to do with this problem

Cheers,
--
Nathan Harmsworth
IT / Network Administrator
Ysgol Bro Ddyfi (Edu)

I've just posted an alarmingly similar incident, mine are all XP clients and
regardless of password policy settings the clients are unable to change
their own passwords.
If change the min password lenght to 3 chars the clients are told despite
using a 10 char complex password that it does not meet the requirements.
No matter what the policy says the users can't change the password.
The result is the Admin is having to do all the user password changes!.
Not good in a school of 1200.

Bizzare.

"Nathan H" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi all
>
> I'm having a lot of trouble at the moment with users attempting to log on
> and then maybe typing
> their password incorrectly by accident and the system locks them out -
this
> happens on
> win 98 clients (am not sure if it happens on the XP clients yet). I've
tried
> changing the lockout
> policy but it doesn't seem to have made any difference.
>
> Can anyone suggest anything on this?
>
> Also, I've had alot of problems when users attempt to log on for the first
> time and must change their password under the 98 clients, it changes it
> but then returns them to the login screen (with the password filled in)
and
> then they try and log in and they can't log in.
>
> If they shutdown the computer (Ctrl-Alt-Del) and then restart, 9 times out
> of 10 they can log straight in but it seems that the computer, indeed all
> the
> 98 computers have to restart before they recognise changes to user
accounts
> or something like that.
>
> Running a 2003 domain as 2000 native - should I make it a "true" 2003
> domain?
> I have a NT 4 server that I intend to wipe and attach to the domain (as a
> app server)
> but dunno whether that'll work or not, but most concerned about the user
> problems
>
> Can anyone shed any light on these matters as I'm pulling my hair out over
> these things
> and we dont have the budget to get microsoft support to help us
>
> Best regards to you all,
>
> --
> Nathan Harmsworth
> IT / Network Administrator
> Ysgol Bro Ddyfi (Edu)
>
>

Where are you setting the policy? The password policy has to be set at
Domain level otherwise it will not function in the way you expect (that is,
the settings will apply but only to local accounts on machines)

AndyC

"Geoff Hall" <geoff@absolutelynospam_task-it.co.uk> wrote in message
news:%23WmK$(E-Mail Removed)...
> I've just posted an alarmingly similar incident, mine are all XP clients
and
> regardless of password policy settings the clients are unable to change
> their own passwords.
> If change the min password lenght to 3 chars the clients are told despite
> using a 10 char complex password that it does not meet the requirements.
> No matter what the policy says the users can't change the password.
> The result is the Admin is having to do all the user password changes!.
> Not good in a school of 1200.
>
> Bizzare.
>
> "Nathan H" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi all
> >
> > I'm having a lot of trouble at the moment with users attempting to log
on
> > and then maybe typing
> > their password incorrectly by accident and the system locks them out -
> this
> > happens on
> > win 98 clients (am not sure if it happens on the XP clients yet). I've
> tried
> > changing the lockout
> > policy but it doesn't seem to have made any difference.
> >
> > Can anyone suggest anything on this?
> >
> > Also, I've had alot of problems when users attempt to log on for the
first
> > time and must change their password under the 98 clients, it changes it
> > but then returns them to the login screen (with the password filled in)
> and
> > then they try and log in and they can't log in.
> >
> > If they shutdown the computer (Ctrl-Alt-Del) and then restart, 9 times
out
> > of 10 they can log straight in but it seems that the computer, indeed
all
> > the
> > 98 computers have to restart before they recognise changes to user
> accounts
> > or something like that.
> >
> > Running a 2003 domain as 2000 native - should I make it a "true" 2003
> > domain?
> > I have a NT 4 server that I intend to wipe and attach to the domain (as
a
> > app server)
> > but dunno whether that'll work or not, but most concerned about the user
> > problems
> >
> > Can anyone shed any light on these matters as I'm pulling my hair out
over
> > these things
> > and we dont have the budget to get microsoft support to help us
> >
> > Best regards to you all,
> >
> > --
> > Nathan Harmsworth
> > IT / Network Administrator
> > Ysgol Bro Ddyfi (Edu)
> >
> >
>
>

Hi all

Just wondering if anyone has any further ideas as I'm still getting problems
with it...

The Windows 98 SE clients are the issue, have had no reports of XP being
affected.

I've seen it happen in front of my eyes....

A pupil here told me that he tried to log on a few times but it wasn't
letting him. I had a look
at his account and sure enough, it was locked out. I unlocked it and asked
him to try again.
He tried again and couldn't log in still. I took a look at his account again
and it had locked him out
again, despite the fact that the lockout policy is set to 5 attempts before
it locks a user out.
Anyhow, I unlocked it and shut the PC down (without logging into it) and
restarted the machine.
The pupil logged on fine.

How does this make sense? I'm really desperate here with this one. Is there
some setting I've missed
somewhere. I've created a config.pol file which is doing all the usual
"lockdown" things i.e. custom
profiles, desktop, restricting setting changes, etc.

It was easy to configure in the former old NT domain as I just used the
"User Manager for Domains"
Administrative Tool under the Policies menu, and had no trouble at all
there. Nothing like this happened.

Could it be anything to do with Kerberos or authentication aspects? I have
little knowledge on
these things and I'm sure I read I had to turn some option off in order for
98 clients to log on properly
but cant remember what it is. I have had this problem in both 2000 mixed and
the current 2000 native
mode (had to promote it for the migration process from NT to work).

I love 2003 but I wish I could work this one out...

Please if anyone has a shred of an idea regarding it, please say - it might
just work

Many thanks,
Nathan H.



--
Nathan Harmsworth
IT / Network Administrator
Ysgol Bro Ddyfi (Edu)

You might consider installing the latest version of the DSClient on the 9x
machines. That includes some hotfixes that address this type of issue. You
would need to contact Microsoft to obtain this update.
323466 Availability of the Active Directory client extension update for
Windows
http://support.microsoft.com/?id=323466

The one hotfix that I am thinking of in particular is the following:
271496 One unsuccessful logon attempt may trigger the default Windows NT
http://support.microsoft.com/?id=271496

--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

================================================== ===
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.


"Nathan H" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi all
>
> Just wondering if anyone has any further ideas as I'm still getting
problems
> with it...
>
> The Windows 98 SE clients are the issue, have had no reports of XP being
> affected.
>
> I've seen it happen in front of my eyes....
>
> A pupil here told me that he tried to log on a few times but it wasn't
> letting him. I had a look
> at his account and sure enough, it was locked out. I unlocked it and asked
> him to try again.
> He tried again and couldn't log in still. I took a look at his account
again
> and it had locked him out
> again, despite the fact that the lockout policy is set to 5 attempts
before
> it locks a user out.
> Anyhow, I unlocked it and shut the PC down (without logging into it) and
> restarted the machine.
> The pupil logged on fine.
>
> How does this make sense? I'm really desperate here with this one. Is
there
> some setting I've missed
> somewhere. I've created a config.pol file which is doing all the usual
> "lockdown" things i.e. custom
> profiles, desktop, restricting setting changes, etc.
>
> It was easy to configure in the former old NT domain as I just used the
> "User Manager for Domains"
> Administrative Tool under the Policies menu, and had no trouble at all
> there. Nothing like this happened.
>
> Could it be anything to do with Kerberos or authentication aspects? I have
> little knowledge on
> these things and I'm sure I read I had to turn some option off in order
for
> 98 clients to log on properly
> but cant remember what it is. I have had this problem in both 2000 mixed
and
> the current 2000 native
> mode (had to promote it for the migration process from NT to work).
>
> I love 2003 but I wish I could work this one out...
>
> Please if anyone has a shred of an idea regarding it, please say - it
might
> just work
>
> Many thanks,
> Nathan H.
>
>
>
> --
> Nathan Harmsworth
> IT / Network Administrator
> Ysgol Bro Ddyfi (Edu)
>
>