|
Hi guys, Your topic could not have come at a better
time. In the last few days, a few users in the domain have been complaining about
their accounts being locked out every morning. At first I thought, someone had
been snooping within the network. Since our company uses first name.last name as usernames, it is not that hard to lock
someone out after 5 unsuccessful tries. What I did not know is that these new
users had relocated from another location. A system admin added their wk stations
to our domain. Also drives were mapped to another server, located in different
domain in order to get an application to work. Now that you guys mention how
persistent drives could be the culprit, I am wondering if same passwords in two
separate domains would solve this problem. Can someone confirm my idea or give a
better answer? George Arezina BA, A+, Net+, MCSE 2000 Information Technology
Consultant National Bank of Pop Lukina 7-9, 11000 * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321 -----Original Message----- I've seen this, as Mike
said, with persistent drives mapped. Also with scheduled tasks using an old
password. Hunter From: Creamer,
Mark [mailto:[EMAIL PROTECTED] Yep, one is the PDCE.
That would explain the same event at the same time on 2 DCs. But here's the
strange thing. The users log on successfully. They work with no problem for a
while with apps running like Outlook (to Exchange 2000), IE, open Office files
on a file server, etc. Suddenly they can't work anymore - again, just as if
someone else was locking out the account. But the events are coming from the
user's own PC only. <mc> -----Original Message----- Is one
of the DCs your PDC emulator? Normally, if a user attempts to authenticate to a
DC with an incorrect password (error code 3221225578), that DC will redirect
the authentication to the PDC emulator for an "authoratative"
response. This covers the case where a user's password has changed but not fully
replicated to all DCs. The PDC emulator would know about the change, so
checking there would validate the login attempt or reject it if appropriate. Hunter From: Creamer,
Mark [mailto:[EMAIL PROTECTED] Hi folks, I have been trying to troubleshoot
some lockout events. In every case, the event originates on the user's own workstation
(not some other user). There are no associated file object failures on the
primary file server. It seems like it is application-based, but I can't nail it
down. I've been using Microsoft's AL tools, including EventCombMT, but I can't
use the acctinfo.dll because the clients are Win9x. Today I noticed for the first time
that on 2 DCs, the exact same 5 login failures occurred (one example follows): 681,AUDIT FAILURE,Security,Tue Oct
07 13:13:38 2003,NT AUTHORITY\SYSTEM,The logon to account: MYUSER
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation:
\\HIS_PC failed. The error code was:
3221225578 I was concerned that I didn't think
it is normal that 2 DCs would log the same 5 logon failures at exactly the same
times. What do you think? Thanks, Mark Creamer |
<<image001.jpg>>
