I seem to recall seeing something similar a while back. The
memories are somewhat hazy but I think it was trying to connect
itself to some program that automatically logged in - happened
after user had changed his password. The old password kept being
used for the login attempts so once it reached three, ka-boom!
(I'm thinking it might have been connected with either oracle
-gotta love troubleshooting those three tier apps - or citrix.)
Definitely check the services/drive connections in scripts/autologons
to other programs on the machine.
Also, I should probably mention the "flush local profiles" and/or
"delete/recreate account because it's gotten corrupted somehow"
options.
Charlotte Blackmer
Senior LAN Admin, Server Services Team
Alameda County Information Technology
Email: [EMAIL PROTECTED]
Voice: 510-208-4908
----------Original Message--------------------
Subject: RE: ID Monitoring??
From: "Winsor, Marc [IBM]" <[EMAIL PROTECTED]>
Date: Wed, 22 Aug 2001 09:12:21 -0500
X-Message-Number: 20
We have changed his password to what he thinks it is but it hasn't helped.
I don't believe he has installed a service with a different password but
I'll double check. We are auditing bad logons but he doesn't have them
showing up. He can log in fine once his password is unlocked. He is fine
for awhile, then gets locked out again while he is working.
-----Original Message-----
From: Kelly Borndale [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 22, 2001 9:21 AM
Why not just change the password to what he thinks he it is? Is he able to
login at all? Are you able to see where the bad logins are coming from?
Could he have possibly installed a service on the win2k machine using a
different password?
----- Original Message -----
From: Winsor, Marc <mailto:[EMAIL PROTECTED]> [IBM]
To: NT System Admin <mailto:[EMAIL PROTECTED]> Issues
Sent: Wednesday, August 22, 2001 9:00 AM
Subject: ID Monitoring??
I have a user who is constantly getting locked out of his account. He
claims that he isn't typing in a bad password 3 times (the lockout number)
but that it just suddenly happens. What is the best way to monitor his ID
to determine what and when the bad password attempts are happening? In
checking through the event logs on the BDC's I don't see anything, or else
I'm not recognizing it for what it is.
I am in an NT4 domain. We have multiple BDC's. The user is having this
problem when they log on locally to the network and also when RASing in.
They have 2 machines, a W2K and a Win98 machine that they use.
Any help is appreciated.
Marc
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
