you won't be happy, until you increase the limit of the nr for bad pw attempts. There are multiple reasons for PW lockouts, a lot of them related to replication latency in AD. Next to mapped drives, disconnected Terminal Services sessions are also good caveats.
Some of this is fixed with SP3 but what really fixed it for us was to increase from 5 to 10 bad pw attempts on the Domain policy. This won't really increase your risk for attacks, as many more attempts are needed to crack the passwords. It will however, decrease your problems to a VERY large extend (i.e. for a specific location with 5000 users, where we had 90-150 helpdesk calls per day due to pw lockouts after resetting the pw, it went down to 10 calls, after we increased the bad pw attemts to 10 tries.) MS generally recommends to allow 10-15 bad passwords. /Guido -----Original Message----- From: Chuck [mailto:[EMAIL PROTECTED] Sent: Montag, 24. März 2003 19:49 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Account Lockout after password reset All Windows 2000, and the only mapped drives are there H drive (Share Drive) which is loaded through the profile, not "Mapped as another user". -----Original Message----- From: Christopher Hummert [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 12:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Account Lockout after password reset Are they using Windows 98 or 95? If so do they have any drives mapped? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Sent: Monday, March 24, 2003 9:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockout after password reset Hello, I have had a few users where I work reset their password and they didn't reboot the computer and it locks them out after a while. I look at their account and see 5 bad passwords (our GPO is set for 5) The strange thing is I can unlock their account and they can get in to their mail, network drive and other network resources and not show any bad passwords, but after a few hours and sometimes not until the next day it will lock them out with again. I watch their authenticating domain controller for bad passwords after I unlock them and I don't see any bad passwords, sometimes a few bad passwords will show up after a few hours but I talk to the user and they haven't done anything on the computer. And when they come in the next day, they will be locked out with 5 bad passwords. It's not specific with the company because I've had it happen to me on my home Win2K domain. I finally solved my problem by resetting the password on the Computer, not through the MMC and rebooting. The problem at work is if the user resets their password they can't reset it for 5 days. Any ideas or has anyone else encountered this, I've searched Microsoft high and low and can't find anything specific. Regards, Chuck List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
