User accounts getting locked out frequently

Discussion in 'Windows Server' started by Tom Edelbrok, May 15, 2008.

  1. Tom Edelbrok

    Tom Edelbrok Guest

    To all,

    We have a Server 2003 network (2 Domain Controllers, 3 member servers, and
    about 60 Windows XP SP2 clients). About 3 months ago we noticed that the
    occasional user would get into a lockout problem after having changed their
    expiring password successfully. What happens is that after changing their
    password they can run fine for a while (even logging out and back in), but
    then all of a sudden their account gets locked out. However, they haven't
    done anything to lock it out (ie: they haven't put in a bad password three
    times in succession). We unlock their account and they work fine for a day
    or so, then boom - it happens again. It occurs while they are already logged
    in, ie: the Internet Explorer starts looking for authentication, and their
    Outlook client (for Exchange Server 2003) also looks for authentication.
    Neither of these should be asking because they are logged in via Active
    Directory, and secondly, the Internet Explorer uses an LDAP authentication
    via a Linux box to authenticate against Active Directory. It only affects a
    few people, but it affects them so severely that we have to get a solution
    to the problem.

    The only solution we've come up with is to rebuild the user's PC (wipe the
    drive and re-install XP). Then they are fine.

    We speculate that there must be some background processes (ie: java update
    checker, or who knows what) that are going out to the web to search for
    updates, and are somehow using the user's old password (ie: from before they
    changed it). Perhaps this 'old' password is encrypted and store in the
    registry someplace based upon the last time a process was successful in
    accessing the web. If these background processes are failing to authenticate
    a number of times then that would explain the user being locked out while
    they're currently logged in.

    Does this make sense? Does anyone else have any ideas? Has anyone else seen
    a problem like this?

    Tom Edelbrok
     
    Tom Edelbrok, May 15, 2008
    #1
    1. Advertisements

  2. Tom Edelbrok

    Adrian Guest

    Try this the next time it happens

    1) remove passwords by clicking on Start => Run => type "rundll32.exe
    keymgr.dll, KRShowKeyMgr" and then delete the Domain-related passords;
    2) remove passwords in Internet Explorer => Tools => Internet Options =>
    Content => Personal Information => Auto Complete => Clear Passwords;
    3) Delete cookies in Internet Explorer => Tools => Internet Options =>
    General;
    4) Disconnect (note the path before disconnecting) all networks drives,
    reboot, then map them again;

    More often than not it is an explicite drive mapping
     
    Adrian, May 15, 2008
    #2
    1. Advertisements

  3. Tom Edelbrok

    JohnB Guest

    Are you saying Outlook does prompt for username/password? Normally that
    happens when the cached password doesn't match the password in AD.
    Almost sounds like a problem with AD replication.

    Try disabling cached credentials in a GPO:
    Computer Configuration, Windows Setting, Local Policy, Security Options
    control of "Interactive Logon: Number of previous logons to cache (in case
    domain controller is not available)" to 0 logons (from the default of 10).
     
    JohnB, May 15, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.