Guest Tom Edelbrok Posted May 15, 2008 Posted May 15, 2008 To all, We have a Server 2003 network (2 Domain Controllers, 3 member servers, and about 60 Windows XP SP2 clients). About 3 months ago we noticed that the occasional user would get into a lockout problem after having changed their expiring password successfully. What happens is that after changing their password they can run fine for a while (even logging out and back in), but then all of a sudden their account gets locked out. However, they haven't done anything to lock it out (ie: they haven't put in a bad password three times in succession). We unlock their account and they work fine for a day or so, then boom - it happens again. It occurs while they are already logged in, ie: the Internet Explorer starts looking for authentication, and their Outlook client (for Exchange Server 2003) also looks for authentication. Neither of these should be asking because they are logged in via Active Directory, and secondly, the Internet Explorer uses an LDAP authentication via a Linux box to authenticate against Active Directory. It only affects a few people, but it affects them so severely that we have to get a solution to the problem. The only solution we've come up with is to rebuild the user's PC (wipe the drive and re-install XP). Then they are fine. We speculate that there must be some background processes (ie: java update checker, or who knows what) that are going out to the web to search for updates, and are somehow using the user's old password (ie: from before they changed it). Perhaps this 'old' password is encrypted and store in the registry someplace based upon the last time a process was successful in accessing the web. If these background processes are failing to authenticate a number of times then that would explain the user being locked out while they're currently logged in. Does this make sense? Does anyone else have any ideas? Has anyone else seen a problem like this? Tom Edelbrok
Guest Adrian Posted May 15, 2008 Posted May 15, 2008 RE: User accounts getting locked out frequently Try this the next time it happens 1) remove passwords by clicking on Start => Run => type "rundll32.exe keymgr.dll, KRShowKeyMgr" and then delete the Domain-related passords; 2) remove passwords in Internet Explorer => Tools => Internet Options => Content => Personal Information => Auto Complete => Clear Passwords; 3) Delete cookies in Internet Explorer => Tools => Internet Options => General; 4) Disconnect (note the path before disconnecting) all networks drives, reboot, then map them again; More often than not it is an explicite drive mapping "Tom Edelbrok" wrote: > To all, > > We have a Server 2003 network (2 Domain Controllers, 3 member servers, and > about 60 Windows XP SP2 clients). About 3 months ago we noticed that the > occasional user would get into a lockout problem after having changed their > expiring password successfully. What happens is that after changing their > password they can run fine for a while (even logging out and back in), but > then all of a sudden their account gets locked out. However, they haven't > done anything to lock it out (ie: they haven't put in a bad password three > times in succession). We unlock their account and they work fine for a day > or so, then boom - it happens again. It occurs while they are already logged > in, ie: the Internet Explorer starts looking for authentication, and their > Outlook client (for Exchange Server 2003) also looks for authentication. > Neither of these should be asking because they are logged in via Active > Directory, and secondly, the Internet Explorer uses an LDAP authentication > via a Linux box to authenticate against Active Directory. It only affects a > few people, but it affects them so severely that we have to get a solution > to the problem. > > The only solution we've come up with is to rebuild the user's PC (wipe the > drive and re-install XP). Then they are fine. > > We speculate that there must be some background processes (ie: java update > checker, or who knows what) that are going out to the web to search for > updates, and are somehow using the user's old password (ie: from before they > changed it). Perhaps this 'old' password is encrypted and store in the > registry someplace based upon the last time a process was successful in > accessing the web. If these background processes are failing to authenticate > a number of times then that would explain the user being locked out while > they're currently logged in. > > Does this make sense? Does anyone else have any ideas? Has anyone else seen > a problem like this? > > Tom Edelbrok > > >
Guest JohnB Posted May 15, 2008 Posted May 15, 2008 Re: User accounts getting locked out frequently Are you saying Outlook does prompt for username/password? Normally that happens when the cached password doesn't match the password in AD. Almost sounds like a problem with AD replication. Try disabling cached credentials in a GPO: Computer Configuration, Windows Setting, Local Policy, Security Options control of "Interactive Logon: Number of previous logons to cache (in case domain controller is not available)" to 0 logons (from the default of 10). "Tom Edelbrok" <anonymous@anonymous.com> wrote in message news:PT_Wj.2908$KB3.349@edtnps91... > To all, > > We have a Server 2003 network (2 Domain Controllers, 3 member servers, and > about 60 Windows XP SP2 clients). About 3 months ago we noticed that the > occasional user would get into a lockout problem after having changed > their expiring password successfully. What happens is that after changing > their password they can run fine for a while (even logging out and back > in), but then all of a sudden their account gets locked out. However, they > haven't done anything to lock it out (ie: they haven't put in a bad > password three times in succession). We unlock their account and they work > fine for a day or so, then boom - it happens again. It occurs while they > are already logged in, ie: the Internet Explorer starts looking for > authentication, and their Outlook client (for Exchange Server 2003) also > looks for authentication. Neither of these should be asking because they > are logged in via Active Directory, and secondly, the Internet Explorer > uses an LDAP authentication via a Linux box to authenticate against Active > Directory. It only affects a few people, but it affects them so severely > that we have to get a solution to the problem. > > The only solution we've come up with is to rebuild the user's PC (wipe the > drive and re-install XP). Then they are fine. > > We speculate that there must be some background processes (ie: java update > checker, or who knows what) that are going out to the web to search for > updates, and are somehow using the user's old password (ie: from before > they changed it). Perhaps this 'old' password is encrypted and store in > the registry someplace based upon the last time a process was successful > in accessing the web. If these background processes are failing to > authenticate a number of times then that would explain the user being > locked out while they're currently logged in. > > Does this make sense? Does anyone else have any ideas? Has anyone else > seen a problem like this? > > Tom Edelbrok >
Recommended Posts