Yep...thanks though <mc>
-----Original Message----- From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 3:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] account lockout troubleshooting Checked for an AT job running under the old creds? Seen that often. -----Original Message----- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 12:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] account lockout troubleshooting Yep, one is the PDCE. That would explain the same event at the same time on 2 DCs. But here's the strange thing. The users log on successfully. They work with no problem for a while with apps running like Outlook (to Exchange 2000), IE, open Office files on a file server, etc. Suddenly they can't work anymore - again, just as if someone else was locking out the account. But the events are coming from the user's own PC only. <mc> -----Original Message----- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 3:17 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] account lockout troubleshooting Is one of the DCs your PDC emulator? Normally, if a user attempts to authenticate to a DC with an incorrect password (error code 3221225578), that DC will redirect the authentication to the PDC emulator for an "authoratative" response. This covers the case where a user's password has changed but not fully replicated to all DCs. The PDC emulator would know about the change, so checking there would validate the login attempt or reject it if appropriate. Hunter From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 12:03 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] account lockout troubleshooting Hi folks, I have been trying to troubleshoot some lockout events. In every case, the event originates on the user's own workstation (not some other user). There are no associated file object failures on the primary file server. It seems like it is application-based, but I can't nail it down. I've been using Microsoft's AL tools, including EventCombMT, but I can't use the acctinfo.dll because the clients are Win9x. Today I noticed for the first time that on 2 DCs, the exact same 5 login failures occurred (one example follows): 681,AUDIT FAILURE,Security,Tue Oct 07 13:13:38 2003,NT AUTHORITY\SYSTEM,The logon to account: MYUSER by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: \\HIS_PC failed. The error code was: 3221225578 I was concerned that I didn't think it is normal that 2 DCs would log the same 5 logon failures at exactly the same times. What do you think? Thanks, Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
