User accounts getting locked out frequently

[Guest Tom Edelbrok]

To all,

 

We have a Server 2003 network (2 Domain Controllers, 3 member servers, and

about 60 Windows XP SP2 clients). About 3 months ago we noticed that the

occasional user would get into a lockout problem after having changed their

expiring password successfully. What happens is that after changing their

password they can run fine for a while (even logging out and back in), but

then all of a sudden their account gets locked out. However, they haven't

done anything to lock it out (ie: they haven't put in a bad password three

times in succession). We unlock their account and they work fine for a day

or so, then boom - it happens again. It occurs while they are already logged

in, ie: the Internet Explorer starts looking for authentication, and their

Outlook client (for Exchange Server 2003) also looks for authentication.

Neither of these should be asking because they are logged in via Active

Directory, and secondly, the Internet Explorer uses an LDAP authentication

via a Linux box to authenticate against Active Directory. It only affects a

few people, but it affects them so severely that we have to get a solution

to the problem.

 

The only solution we've come up with is to rebuild the user's PC (wipe the

drive and re-install XP). Then they are fine.

 

We speculate that there must be some background processes (ie: java update

checker, or who knows what) that are going out to the web to search for

updates, and are somehow using the user's old password (ie: from before they

changed it). Perhaps this 'old' password is encrypted and store in the

registry someplace based upon the last time a process was successful in

accessing the web. If these background processes are failing to authenticate

a number of times then that would explain the user being locked out while

they're currently logged in.

 

Does this make sense? Does anyone else have any ideas? Has anyone else seen

a problem like this?

 

Tom Edelbrok

[Guest Adrian]

RE: User accounts getting locked out frequently

 

Try this the next time it happens

 

1) remove passwords by clicking on Start => Run => type "rundll32.exe

keymgr.dll, KRShowKeyMgr" and then delete the Domain-related passords;

2) remove passwords in Internet Explorer => Tools => Internet Options =>

Content => Personal Information => Auto Complete => Clear Passwords;

3) Delete cookies in Internet Explorer => Tools => Internet Options =>

General;

4) Disconnect (note the path before disconnecting) all networks drives,

reboot, then map them again;

 

More often than not it is an explicite drive mapping

 

"Tom Edelbrok" wrote:

> To all,

>

> We have a Server 2003 network (2 Domain Controllers, 3 member servers, and

> about 60 Windows XP SP2 clients). About 3 months ago we noticed that the

> occasional user would get into a lockout problem after having changed their

> expiring password successfully. What happens is that after changing their

> password they can run fine for a while (even logging out and back in), but

> then all of a sudden their account gets locked out. However, they haven't

> done anything to lock it out (ie: they haven't put in a bad password three

> times in succession). We unlock their account and they work fine for a day

> or so, then boom - it happens again. It occurs while they are already logged

> in, ie: the Internet Explorer starts looking for authentication, and their

> Outlook client (for Exchange Server 2003) also looks for authentication.

> Neither of these should be asking because they are logged in via Active

> Directory, and secondly, the Internet Explorer uses an LDAP authentication

> via a Linux box to authenticate against Active Directory. It only affects a

> few people, but it affects them so severely that we have to get a solution

> to the problem.

>

> The only solution we've come up with is to rebuild the user's PC (wipe the

> drive and re-install XP). Then they are fine.

>

> We speculate that there must be some background processes (ie: java update

> checker, or who knows what) that are going out to the web to search for

> updates, and are somehow using the user's old password (ie: from before they

> changed it). Perhaps this 'old' password is encrypted and store in the

> registry someplace based upon the last time a process was successful in

> accessing the web. If these background processes are failing to authenticate

> a number of times then that would explain the user being locked out while

> they're currently logged in.

>

> Does this make sense? Does anyone else have any ideas? Has anyone else seen

> a problem like this?

>

> Tom Edelbrok

>

>

>

[Guest JohnB]

Re: User accounts getting locked out frequently

 

Are you saying Outlook does prompt for username/password? Normally that

happens when the cached password doesn't match the password in AD.

Almost sounds like a problem with AD replication.

 

Try disabling cached credentials in a GPO:

Computer Configuration, Windows Setting, Local Policy, Security Options

control of "Interactive Logon: Number of previous logons to cache (in case

domain controller is not available)" to 0 logons (from the default of 10).

 

 

 

"Tom Edelbrok" <anonymous@anonymous.com> wrote in message

news:PT_Wj.2908$KB3.349@edtnps91...

> To all,

>

> We have a Server 2003 network (2 Domain Controllers, 3 member servers, and

> about 60 Windows XP SP2 clients). About 3 months ago we noticed that the

> occasional user would get into a lockout problem after having changed

> their expiring password successfully. What happens is that after changing

> their password they can run fine for a while (even logging out and back

> in), but then all of a sudden their account gets locked out. However, they

> haven't done anything to lock it out (ie: they haven't put in a bad

> password three times in succession). We unlock their account and they work

> fine for a day or so, then boom - it happens again. It occurs while they

> are already logged in, ie: the Internet Explorer starts looking for

> authentication, and their Outlook client (for Exchange Server 2003) also

> looks for authentication. Neither of these should be asking because they

> are logged in via Active Directory, and secondly, the Internet Explorer

> uses an LDAP authentication via a Linux box to authenticate against Active

> Directory. It only affects a few people, but it affects them so severely

> that we have to get a solution to the problem.

>

> The only solution we've come up with is to rebuild the user's PC (wipe the

> drive and re-install XP). Then they are fine.

>

> We speculate that there must be some background processes (ie: java update

> checker, or who knows what) that are going out to the web to search for

> updates, and are somehow using the user's old password (ie: from before

> they changed it). Perhaps this 'old' password is encrypted and store in

> the registry someplace based upon the last time a process was successful

> in accessing the web. If these background processes are failing to

> authenticate a number of times then that would explain the user being

> locked out while they're currently logged in.

>

> Does this make sense? Does anyone else have any ideas? Has anyone else

> seen a problem like this?

>

> Tom Edelbrok

>