Does the user have any manually mapped network drives? After a password change, we found that manually mapped drives tried to reconnect using the old password and eventually locked the account out. Deleting the mappings corrected the problem.
Mark R. > -----Original Message----- > From: Collin Douglas [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 26, 2002 9:45 AM > To: '[EMAIL PROTECTED]' > Subject: RE: NT4 Account keeps getting locked out! > > > I've seen this before and it was generally something like a > service that was > running as that user but logging in with the incorrect ID. > > Also, I've seen Outlook Web Access do this. A browser window > is closed, as > opposed to using the "Log Off" button so they don't get > logged out and the > OWA server constantly pounds the DCs trying to log the person in. If > they've changed their password recently, then OWA pounds away with the > incorrect password and causes lockouts. > > Bouncing the OWA box generally took care of the problem > > Anyway, the first thing to do is check the event viewer on > your PDC. Under > the security area, there should be an entry in there showing > when the user > was locked out and what machine they were trying to log in > from when they > were locked out. > > The message will show up a "success audit" in the logs. The > following is a > snippet from our logs with the details changed. > > User Account Locked Out: > Target Account Name: personwhoforgetspassword > Target Account ID: > B-L-A-H0-BLAHBLAH0-yackity00-smackity00-0000 > Caller Machine Name: \\machineofpersonwhoforgetspassword > Caller User Name: SYSTEM > Caller Domain: NT AUTHORITY > Caller Logon ID: (0x0,0x773 > > > Anyway, find the user's name in the Target Account Name and > go to the Caller > Machine Name and concentrate your efforts on that machine. > > Basically, I doubt very seriously that there is someone doing this > intentionally but you never know. Good luck. Let us know > how it works out. > > Collin Douglas > Senior Network Administrator > MidFirst Bank > > > -----Original Message----- > From: Lists > To: [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Sent: 6/24/02 12:40 PM > Subject: NT4 Account keeps getting locked out! > > > Network info: > > NT 4 server network with W2KPro clients. > > > Situation: > > We have a user that keeps getting their NT account locked out for > reasons that we are not yet aware. Unable to get much info from Event > Viewer on NT4 servers or W2KPro client. Don't know if this is being > done by someone intentionally (somewhere on the network or from the > client's computer) just to give us a hard time, or a rouge program > somewhere on the network or client's computer trying to logon as that > user. At this time, we are not ruling anyone out, everyone > is suspect. > We have replaced the client's computer (not totally, user copied > shortcuts and some files back to the new desktop...I know, if > it was up > to me they would not have been allowed to do this, but it's not up to > me) and the account is still getting locked out. We are in > the process > of creating a new NT account for this user and see if it > still occurs. > > > Bottom Line: > > We need to find out what is causing this account to get locked out and > prevent it from happening again. > > > Some thoughts: > > Is there third party software that will be able to determine what is > causing this account to get locked out? Some sort of sniffing program > on the server or the client to find out what program is > trying to logon > with this account and from where? > > If this is a user doing this intentionally, what are they > doing and from > where? Are they trying to connect remotely to the client's > registry, or > to a share on the > client computer? > > Is there third party software that can help? > > Any suggestions/recommendations welcome. > > > > Thanks, > Jack > > > . > . > Privileged/Confidential information may be contained in this message. > If you are not the addressee indicated in this message > (or responsible for delivery of the message to such person), > you may not copy or deliver this message to anyone. > In such case, you should destroy this message and > kindly notify the sender by reply e-mail. > Please advise immediately if you or your employer > does not consent to Internet messages of this kind. > Opinions, conclusions and other information in this message > that do not relate to the official business of my firm shall be > understood as neither given nor endorsed by it. >
