test msg ----- Original Message ----- From: "Humberd Greg" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 08, 2003 2:06 PM Subject: RE: [ActiveDir] account lockout troubleshooting
> Also if the client is 2k or XP check for stored network passwords. > > -----Original Message----- > From: Free, Bob [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 08, 2003 3:56 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] account lockout troubleshooting > > > Checked for an AT job running under the old creds? Seen that often. > > -----Original Message----- > From: Creamer, Mark [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 08, 2003 12:30 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] account lockout troubleshooting > > > Yep, one is the PDCE. That would explain the same event at the same time on > 2 DCs. But here's the strange thing. The users log on successfully. They > work with no problem for a while with apps running like Outlook (to Exchange > 2000), IE, open Office files on a file server, etc. Suddenly they can't work > anymore - again, just as if someone else was locking out the account. But > the events are coming from the user's own PC only. > > <mc> > -----Original Message----- > From: Coleman, Hunter [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 08, 2003 3:17 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] account lockout troubleshooting > > Is one of the DCs your PDC emulator? Normally, if a user attempts to > authenticate to a DC with an incorrect password (error code 3221225578), > that DC will redirect the authentication to the PDC emulator for an > "authoratative" response. This covers the case where a user's password has > changed but not fully replicated to all DCs. The PDC emulator would know > about the change, so checking there would validate the login attempt or > reject it if appropriate. > > Hunter > > > > > From: Creamer, Mark [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 08, 2003 12:03 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] account lockout troubleshooting > Hi folks, > I have been trying to troubleshoot some lockout events. In every case, the > event originates on the user's own workstation (not some other user). There > are no associated file object failures on the primary file server. It seems > like it is application-based, but I can't nail it down. I've been using > Microsoft's AL tools, including EventCombMT, but I can't use the > acctinfo.dll because the clients are Win9x. > > Today I noticed for the first time that on 2 DCs, the exact same 5 login > failures occurred (one example follows): > > 681,AUDIT FAILURE,Security,Tue Oct 07 13:13:38 2003,NT AUTHORITY\SYSTEM,The > logon to account: MYUSER by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > from workstation: \\HIS_PC failed. The error code was: 3221225578 > > I was concerned that I didn't think it is normal that 2 DCs would log the > same 5 logon failures at exactly the same times. What do you think? > > Thanks, > > Mark Creamer > Systems Engineer > Cintas Corporation > http://www.cintas.com > Honesty and Integrity in Everything We Do > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
