RE: [ActiveDir] account lockout troubleshooting

[Jimmy Andersson]

You can use wmic.exe to find most info about your services.   Regards, /Jimmy   -------------------------------------     Jimmy Andersson, Q Advice AB                CEO & Principal Advisor      Microsoft MVP - Active Directory ---------- www.qadvice.com ----------    From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, October 09, 2003 1:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] account lockout troubleshooting Check for any services that are possibly running in the context of the user (either services.msc or if you want command line check out svcutil at www.joeware.net with the viewx option)     F:\Dev\cpp\SvcUtil>svcutil . viewx   SvcUtil V02.03.00cpp  Joe Richards ([EMAIL PROTECTED]) May 2003   ------------------------------------------------- Service list for LocalHost ------------------------------------------------- Alerter                   Alerter                                    stopped    MANUAL     NT AUTHORITY\LocalService ALG                       Application Layer Gateway Service          stopped    MANUAL     NT AUTHORITY\LocalService AppMgmt                   Application Management                     stopped    MANUAL     LocalSystem ATI Smart                 ATI Smart                                  stopped    AUTO       LocalSystem AudioSrv                  Windows Audio                              running    AUTO       LocalSystem BITS                      Background Intelligent Transfer Service    running    MANUAL     LocalSystem Browser                   Computer Browser                           running    AUTO       LocalSystem cisvc                     Indexing Service                           stopped    MANUAL     LocalSystem ClipSrv                   ClipBook                                   stopped    MANUAL     LocalSystem COMSysApp                 COM+ System Application                    stopped    MANUAL     LocalSystem <SNIP>       Also check for any MTS/COM+ objects that are set up to authenticate as the user. Sorry don't have a command line tool I am aware of to do that.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, October 08, 2003 4:37 PM To: [EMAIL PROTECTED] Thanks everyone…I appreciate the excellent suggestions. I’ll post whether or not Microsoft’s solution (DS Client) is successful in the next day or two.   <mc> -----Original Message----- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 3:58 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] account lockout troubleshooting   I've seen this, as Mike said, with persistent drives mapped. Also with scheduled tasks using an old password.   Hunter   From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 1:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] account lockout troubleshooting Yep, one is the PDCE. That would explain the same event at the same time on 2 DCs. But here's the strange thing. The users log on successfully. They work with no problem for a while with apps running like Outlook (to Exchange 2000), IE, open Office files on a file server, etc. Suddenly they can't work anymore - again, just as if someone else was locking out the account. But the events are coming from the user's own PC only.   <mc> -----Original Message----- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 3:17 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] account lockout troubleshooting   Is one of the DCs your PDC emulator? Normally, if a user attempts to authenticate to a DC with an incorrect password (error code 3221225578), that DC will redirect the authentication to the PDC emulator for an "authoratative" response. This covers the case where a user's password has changed but not fully replicated to all DCs. The PDC emulator would know about the change, so checking there would validate the login attempt or reject it if appropriate.   Hunter   From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 12:03 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] account lockout troubleshooting Hi folks, I have been trying to troubleshoot some lockout events. In every case, the event originates on the user's own workstation (not some other user). There are no associated file object failures on the primary file server. It seems like it is application-based, but I can't nail it down. I've been using Microsoft's AL tools, including EventCombMT, but I can't use the acctinfo.dll because the clients are Win9x.   Today I noticed for the first time that on 2 DCs, the exact same 5 login failures occurred (one example follows):   681,AUDIT FAILURE,Security,Tue Oct 07 13:13:38 2003,NT AUTHORITY\SYSTEM,The logon to account: MYUSER    by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    from workstation: \\HIS_PC    failed. The error code was: 3221225578      I was concerned that I didn't think it is normal that 2 DCs would log the same 5 logon failures at exactly the same times. What do you think?   Thanks,   Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do