RE: [ActiveDir] Account lockouts
Hi, For the event ID 1083 see Q296714 and Q306091 Those may be of some help Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Friday, March 12, 2004 04:28 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Account lockouts Hi, Actually, this brings up a question I've wanted to ask for some time. Why does Event ID 1083 get logged when an account is locked out? I'm trying to understand what exactly is causing the "directory is busy" message. Thanks! Robbie Foust, IT Analyst Systems and Core Services Duke University Mike Hogenauer wrote: > Question, > > We have 3 domain controllers in a single forest, single Domain environment running windows 2000 Server. I have 2 Domain Accounts that constantly get locked out. I keep getting this error, even after checking LDAP for duplicate accounts, I've moved the user account to a different OU and forced replication, etc. Also checked Microsoft KB, tried all suggestions. I've also had the user log off all terminal sessions, manually change the account password and then forced replication. I'm close to deleting and recreating the account. > > Thanks in advance for any help! > > Mike > > Event Type: Warning > Event Source: NTDS Replication > Event Category: Replication > Event ID: 1083 > Date: 3/10/2004 > Time: 2:37:32 PM > User: Everyone > Computer: AD1 > Description: > Replication warning: The directory is busy. It couldn't update object CN=,CN=Users,DC=Domain,DC=com with changes made by directory 800fdc79-066f-4c5a-a1e4-e4e17a28eb47._msdcs.renditionnetworks.com. Will try again later. > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account lockouts
All Clients are either Windows 2000 Pro or XP Pro. XP Pro is on the Client I'm most worried about... -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Account lockouts Mike, what OS is the client running? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account lockouts
You need to enable Audit Account Logon Events - Failures Audit Logon Events - Failurs Then dig through your logs looking for 681, 529, 675 @echo off echo %computername% echo. set file=%computername%.csv if not %2*==* set file=%2 @echo Writing file - %file% dumpel -l security -m security -e 681 529 675 -d %1 -c -format dtTCIus -f %file% Now parse through those entries looking for logon failures. You should see some sort of failures, a quick and dirty perl script I have to tear through is below. Your mileage may vary but has helped us track every lockout down to a machine so far... It does its job and it is a job we don't have to do very often anymore so I haven't looked and cleaning up the code or making it nice or tight or anything else. If you look on the PDC and it points at another DC that generally means it is a pdc-chain so you need to dump the logs on that DC and scan them as well. I usually run this script like Getinfo domaincontroller.csv | findstr /I "userid" foreach (<>) { chomp; s/\\//g; @a=split/,/; $date=$a[0]; $time=$a[1]; $code=$a[4]; $idfield=$a[7]; $user=""; $domain=""; $workstation=""; $error=""; if ($code eq 681) { if ($idfield=~/MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\s+([`=\$\w\.-]+?)\s+([`=\$ \w\.-]+?)\s+(\d+)/i) { $domain="local"; $user=$1; $workstation=$2; $error=$3; } else { print "\aNOMATCH: $_\n"; next; } } elsif ($code eq 675) { if ($idfield=~/([`=\$\w\.-]+?)\s+.+?krbtgt\/(\S+).+\s+([0-9.]+)/i) { $domain=$2; $user=$1; $workstation=$3; $error="---"; } else { print " $idfield\n"; } } elsif ($code eq 529) { if ($idfield=~/([`=\$\w\.-]+?)\s+([`=\$\w\.-]+?)\s+3 (NtlmSsp|Advapi)\s+.+\s+([`=\$\w\.-]+)/i) { $domain=$2; $user=$1; $workstation=$4; $error=$3; } elsif ($idfield=~/([`=\$\w\.-]+?)\s+3 (NtlmSsp|Advapi).+\s+([`=\$\w\.-]+)/i) { $domain="local"; $user=$1; $workstation=$3; $error=$2; } elsif ($idfield=~/([`=\$\w\.-]+?)\s+([`=\$\w\.-]+?)\s+2 User32 .+\s+([`=\$\w\.-]+)/i) { $domain=$2; $user=$1; $workstation=$3; $error="User32"; } else { print "\aNOMATCH: $idfield\n"; # ; next; } } else {print "[$_]\n";}; print "$date;$time;$code;$error;$domain\\$user;$workstation\n"; } - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, March 11, 2004 1:39 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account lockouts Question, We have 3 domain controllers in a single forest, single Domain environment running windows 2000 Server. I have 2 Domain Accounts that constantly get locked out. I keep getting this error, even after checking LDAP for duplicate accounts, I've moved the user account to a different OU and forced replication, etc. Also checked Microsoft KB, tried all suggestions. I've also had the user log off all terminal sessions, manually change the account password and then forced replication. I'm close to deleting and recreating the account. Thanks in advance for any help! Mike Event Type: Warning Event Source: NTDS Replication Event Category: Replication Event ID: 1083 Date: 3/10/2004 Time: 2:37:32 PM User: Everyone Computer: AD1 Description: Replication warning: The directory is busy. It couldn't update object CN=,CN=Users,DC=Domain,DC=com with changes made by directory 800fdc79-066f-4c5a-a1e4-e4e17a28eb47._msdcs.renditionnetworks.com. Will try again later. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account lockouts
Robbie Foust <> mused on Thursday, March 11, 2004 7:28 PM: > Hi, > > Actually, this brings up a question I've wanted to ask for some time. > Why does Event ID 1083 get logged when an account is locked out? I'm > trying to understand what exactly is causing the "directory is busy" > message. If it's just randomly ocurring, as far as lockouts go, I'd chalk it up to collisions caused by urgent replication http://support.microsoft.com/default.aspx?scid=kb;EN-US;306091 The following events may be logged if immediate replication is triggered (for example, by an urgent replication for a user lockout condition) and collides with the local Active Directory update: Event Type: Warning Event Source: NTDS Replication Event Category: Replication Event ID: 1083 Description: Replication warning: The directory is busy. It couldn't update object CN=... with changes made by directory GUID._msdcs.domain. Will try again later. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Account lockouts
Hi, Actually, this brings up a question I've wanted to ask for some time. Why does Event ID 1083 get logged when an account is locked out? I'm trying to understand what exactly is causing the "directory is busy" message. Thanks! Robbie Foust, IT Analyst Systems and Core Services Duke University Mike Hogenauer wrote: Question, We have 3 domain controllers in a single forest, single Domain environment running windows 2000 Server. I have 2 Domain Accounts that constantly get locked out. I keep getting this error, even after checking LDAP for duplicate accounts, I've moved the user account to a different OU and forced replication, etc. Also checked Microsoft KB, tried all suggestions. I've also had the user log off all terminal sessions, manually change the account password and then forced replication. I'm close to deleting and recreating the account. Thanks in advance for any help! Mike Event Type: Warning Event Source: NTDS Replication Event Category: Replication Event ID: 1083 Date: 3/10/2004 Time: 2:37:32 PM User: Everyone Computer: AD1 Description: Replication warning: The directory is busy. It couldn't update object CN=,CN=Users,DC=Domain,DC=com with changes made by directory 800fdc79-066f-4c5a-a1e4-e4e17a28eb47._msdcs.renditionnetworks.com. Will try again later. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Account lockouts
If you have security logging enabled use eventcombmt http://support.microsoft.com/default.aspx?scid=kb;en-us;824209 On Mar 11, 2004, at 2:02 PM, Lou Vega wrote: Another thing to check is that that user (or users) do not have any services running (or attempting to run) using those accounts. I've seen that happen before. What happens is they change their user account password but forget to update it in the services property page - then the service just bangs away at it with the old one. r/ Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, March 11, 2004 1:39 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account lockouts Question, We have 3 domain controllers in a single forest, single Domain environment running windows 2000 Server. I have 2 Domain Accounts that constantly get locked out. I keep getting this error, even after checking LDAP for duplicate accounts, I've moved the user account to a different OU and forced replication, etc. Also checked Microsoft KB, tried all suggestions. I've also had the user log off all terminal sessions, manually change the account password and then forced replication. I'm close to deleting and recreating the account. Thanks in advance for any help! Mike Event Type: Warning Event Source: NTDS Replication Event Category: Replication Event ID: 1083 Date: 3/10/2004 Time: 2:37:32 PM User: Everyone Computer: AD1 Description: Replication warning: The directory is busy. It couldn't update object CN=,CN=Users,DC=Domain,DC=com with changes made by directory 800fdc79-066f-4c5a-a1e4-e4e17a28eb47._msdcs.renditionnetworks.com. Will try again later. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Brent Westmoreland BMW Group - Data Center Americas Business: 864.989.6567
RE: [ActiveDir] Account lockouts
I should have expanded on my reason for asking about the clients. As soon as we went to SP4, we were getting a lot of these lockouts, all on Win9x clients (we don't have any NTW). W2K and above were fine. I called MS Support and they gave me a new version of the AD Client. With that installed, the problem was fixed. No issues since. Sup Services said this new version of the client fixed "a lot" of lockout issues. Obviously, this isn't the solution if Mike only has W2K and/or WXP clients. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account lockouts
Mike, what OS is the client running? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Account lockouts
Question, We have 3 domain controllers in a single forest, single Domain environment running windows 2000 Server. I have 2 Domain Accounts that constantly get locked out. I keep getting this error, even after checking LDAP for duplicate accounts, I've moved the user account to a different OU and forced replication, etc. Also checked Microsoft KB, tried all suggestions. I've also had the user log off all terminal sessions, manually change the account password and then forced replication. I'm close to deleting and recreating the account. Thanks in advance for any help! Mike Event Type: Warning Event Source: NTDS Replication Event Category: Replication Event ID: 1083 Date: 3/10/2004 Time: 2:37:32 PM User: Everyone Computer: AD1 Description: Replication warning: The directory is busy. It couldn't update object CN=,CN=Users,DC=Domain,DC=com with changes made by directory 800fdc79-066f-4c5a-a1e4-e4e17a28eb47._msdcs.renditionnetworks.com. Will try again later. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockouts
I didn’t notice if you mentioned whether the client is Win2K, or Win9x or… If Win9x, Microsoft has a new version of the DS client that can be installed which resolves this problem. You have to contact Professional Services to get it. Mark
RE: [ActiveDir] Account Lockouts
It is very likely that this account is being used as a service account and the password was changed or the service was configured with an incorrect password for this account. Another possible culprit is scheduled task. Enabling netlogon logging will help you, as described in the Account Lockout and Management Tools article I posted here last week. This is where I would start. If your Forest is not huge, I have a vbscript that can go through all the computers in your forest and find if there is a service configured to use this account. The script makes WMI calls to each computer object and queries it, so it is not very fast. Email me offline if you are interested. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mike Hogenauer Sent: Tue 10/21/2003 1:36 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts I am having a weird lockout problem with just one account (which at this time cannot be deleted and re created) The account seems to lock itself out approximately every 20 or 30 minutes. I've tried using LDP.exe and binding to the Domain controller from where I get the event error to see if there is any duplicate entries in AD, none show up. I've also disabled any account lockout policy and this is the only account in the domain that is having the problem. Event Type: Warning Event Source: NTDS Replication Event Category: Replication Event ID: 1083 I've also move the account to another OU and forced replication, still after about 20 or 30 minutes the account becomes locked out again. Any suggestions? Thanks in advance. Mike Hogenauer SR. Systems Admin Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2148 | Fax: 425.497.1149 <>
RE: [ActiveDir] Account Lockouts
This webcast has tips that are very helpful for troubleshooting account lockouts: http://support.microsoft.com/default.aspx?kbid=813500 Kind of long, but well worth it. Hunter From: Mike Hogenauer [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 2:37 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Account Lockouts I am having a weird lockout problem with just one account (which at this time cannot be deleted and re created) The account seems to lock itself out approximately every 20 or 30 minutes. I've tried using LDP.exe and binding to the Domain controller from where I get the event error to see if there is any duplicate entries in AD, none show up. I've also disabled any account lockout policy and this is the only account in the domain that is having the problem. Event Type: WarningEvent Source: NTDS ReplicationEvent Category: Replication Event ID: 1083 I've also move the account to another OU and forced replication, still after about 20 or 30 minutes the account becomes locked out again. Any suggestions? Thanks in advance. Mike Hogenauer SR. Systems Admin Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2148 | Fax: 425.497.1149
[ActiveDir] Account Lockouts
I am having a weird lockout problem with just one account (which at this time cannot be deleted and re created) The account seems to lock itself out approximately every 20 or 30 minutes. I've tried using LDP.exe and binding to the Domain controller from where I get the event error to see if there is any duplicate entries in AD, none show up. I've also disabled any account lockout policy and this is the only account in the domain that is having the problem. Event Type: WarningEvent Source: NTDS ReplicationEvent Category: Replication Event ID: 1083 I've also move the account to another OU and forced replication, still after about 20 or 30 minutes the account becomes locked out again. Any suggestions? Thanks in advance. Mike Hogenauer SR. Systems Admin Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2148 | Fax: 425.497.1149 smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] Account Lockouts
This type of problem is easily solved if you've set the DBFlag for logon events for netlogon. Otherwise it is almost impossible to track in an environment with NT Desktops -- the event ends up in the event logs of the offending desktop, not the DC. In an environment with 9x desktops, this is still difficult to track, since the events can be in the logs of any DC, but are not centraliuzed. Debugging netlogon, solves all that, and is fairly easy -- only requiring a registry change on 2000 DCs. Here are relevant articles -- http://support.microsoft.com/default.aspx?scid=kb;en-us;189541 http://support.microsoft.com/default.aspx?scid=kb;en-us;109626 Additionally, you will need to set up some method to recover the netlogon text files and to make certain the DCs hard drive doesn't get filled by them. The following is a script to move the netlogon.log file when it fills. My apologies if this gets poorly formatted in email --- _ 'Script to move a NETLOGON.LOG 'file when it reaches a certain size 'declare variables Dim FSO 'FileSystem Object Dim sSystemRoot 'System Root path Dim sFilePath 'Full Path to the Netlogon.log file Dim sWMIFilePath'Path to Netlogon.log expressed with \\ for WMI Dim sComputer 'Target Computer Dim oWMIService 'Windows Management Service Object Dim colMonitoredEvents 'Collection of monitored events Dim oLatestEvent'Trigger instance Dim lTriggerSize'Size at which to move the netlogon.log file in bytes Dim lCurrentSize'Size of file currently Dim sTargetName 'Archive file name ' - based on the lastmodified time of the file Dim sArchivePath'Path to archive files Dim sTempPath 'initial path of renamed but unmoved file Dim sTargetPath 'Full path of archive file 'initialize variables and objects sComputer = "." 'local machine 'Path to archive files sArchivePath = "\\servername\sharename\subfolder" set FSO = CreateObject("Scripting.FileSystemObject") lTriggerSize = 67108864 'The file path is based on the system root sSystemRoot = FSO.GetSpecialFolder(0) sFilePath = sSystemRoot & "\debug\netlogon.log" sWMIFilePath = Replace(sFilePath, "\", "\\") 'Instantiate WMI Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & _ sComputer & "\root\cimv2") 'Now create an event sink for when the file is modified Set colMonitoredEvents = objWMIService.ExecNotificationQuery _ ("SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE " _ & "TargetInstance ISA 'CIM_DataFile' and " _ & "TargetInstance.Name='" & sWMIFilePath & "'") Do Set oLatestEvent = colMonitoredEvents.NextEvent 'Now determine if the file size is exceeded lCurrentSize = cLng(oLatestEvent.TargetInstance.FileSize) if lCurrentSize >= lTriggerSize then 'Now our criteria are met so begin to manipulate the log 'first determine the last modified time for use as a filename sTargetName = Left(oLatestEvent.TargetInstance.LastModified, _ 14) & ".log" sTempPath = sSystemRoot & "\debug\" & sTargetName 'Rename the netlogon.log file appropriately FSO.MoveFile sFilePath, sSystemRoot & "\debug\" & sTargetName 'Now move the renamed file sTargetPath = sArchivePath & "\" & sTargetName FSO.MoveFile sTempPath, sTargetPath end if Loop - Then all you need to do is filter the netlogon.log files. -Patrick R. Sweeney http://boston.craigslist.org/bos/res/8484283.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf Y Sent: Wednesday, April 02, 2003 7:48 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts Hi everyone, I was hoping that you someone could help me out with this: We have a mixed environment of W2K DC's and there is a requirement from our Systems Support Centre to track Account Lockouts. As this can take place on any DC I was wondering if someone out there was using a tool to interrogate the directory to retrieve this information from the DC that registers the lockout. At the moment we have a tedious exercise of filtering each DC's log for event ID 644. Thanks in advance, Yusuf Success is: "Set high aspirations in life. The Challenge is in our minds.
Re: [ActiveDir] Account Lockouts
There are a few things that you can do. 1. Ensure all your W2K DCs have SP3. There are a few improvements/fixes in the way lockouts are communicated between DCs. 2. Have a look at the Account Lockout Status tool (ALS.EXE). This pulls information from each DC in the domain regarding the lockout status, bad pw attemtps, etc. You may need to contact your Microsoft TAM for ALS.EXE as I don't know if it has made it into the resource kit tools yet. 3. Eventcomb can be useful for grouping event information from log files on different DCs. 4. Look for Event 681 entries on the PDC Emulator DC. Have a look at http://support.microsoft.com/default.aspx?scid=kb;[LN];273499 for information on how to interpret the resulting error codes. You can use Dumpel.exe to filter the results if necessary. 5. If you have password complexity as part of your account policy then you should be able to safely increase the account lockout threshold to something nearer 15 attempts. This should reduce the burden on your help desk. Tony -- Original Message -- From: "Mayet, Yusuf Y" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Wed, 2 Apr 2003 14:47:42 +0200 Hi everyone, I was hoping that you someone could help me out with this: We have a mixed environment of W2K DC's and there is a requirement from our Systems Support Centre to track Account Lockouts. As this can take place on any DC I was wondering if someone out there was using a tool to interrogate the directory to retrieve this information from the DC that registers the lockout. At the moment we have a tedious exercise of filtering each DC's log for event ID 644. Thanks in advance, Yusuf Success is: "Set high aspirations in life. The Challenge is in our minds. We are limited not by reality but by our own imaginations". __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the company. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Standard Bank. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. __ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Account Lockouts
Title: Account Lockouts Hi everyone, I was hoping that you someone could help me out with this: We have a mixed environment of W2K DC's and there is a requirement from our Systems Support Centre to track Account Lockouts. As this can take place on any DC I was wondering if someone out there was using a tool to interrogate the directory to retrieve this information from the DC that registers the lockout. At the moment we have a tedious exercise of filtering each DC's log for event ID 644. Thanks in advance, Yusuf Success is: "Set high aspirations in life. The Challenge is in our minds. We are limited not by reality but by our own imaginations". __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the company. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Standard Bank. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. ___
RE: [ActiveDir] Account Lockouts in mixed mode
You are not alone. Once we rolled out group policy we had the same thing happen. I have found in testing that if you utilise the "Default Domain Group Policy" and then import the compatws.inf security template (amend as required) this seems to "minimalise" but not eradicate the problem. For the stalwarts that still experience lockout look at their accounts and goto Active Directory Users and Computers, goto the Accounts tab, make sure that Password Never Expires is ticked and that the User logon name and User logon name (pre windows 2000) are both "filled in"...once this is done reset their password to something totally different. Within the scope of your Group Policy I would also advise that you separate the IT User Accounts and the servers that are not DC's and apply a new group policy to that group with "No Override" and "Block Inheritance". There is a great tool out there to test Resultant Policy FAZAM RFV, not full version but free... http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/fazam200 0-o.asp Also a great "Free book" on group policy, have to register but well worth it, have received no "junk mail" as yet as a result of registering: http://www.fullarmor.com/ebook/read/ . James -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Thursday, 18 October 2001 1:20 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Account Lockouts in mixed mode Actually, we have seen similar issues in our mixed mode domain. Sometimes, it seems that there is a sync problem between pdc and bdc's. Other times, we have no clue why it is occuring to an individual over and over again. We have even gone so far as to delete and recreate accounts in AD for users experiencing repeated lock-outs. The only common thread seems to have been their accessing exchange through outlook. Users could log in after their account was unlocked, but later in the day they would be locked out again. Passwords were not being cached at all, and it was almost always a Win2kPro box that the user was logging on through. I am uncertain as to the exact cause(s), but recreating the user object has resolved the issues for users experiencing this. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 9:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADU&C connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the "Nt Domain" and the "Active Directory Domain" are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to un
Re: [ActiveDir] Account Lockouts in mixed mode
Read MS Article Q263821 for the fix - Original Message - From: "Bjelke John A Contr AFRL/VSIO" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 17, 2001 4:19 PM Subject: RE: [ActiveDir] Account Lockouts in mixed mode Actually, we have seen similar issues in our mixed mode domain. Sometimes, it seems that there is a sync problem between pdc and bdc's. Other times, we have no clue why it is occuring to an individual over and over again. We have even gone so far as to delete and recreate accounts in AD for users experiencing repeated lock-outs. The only common thread seems to have been their accessing exchange through outlook. Users could log in after their account was unlocked, but later in the day they would be locked out again. Passwords were not being cached at all, and it was almost always a Win2kPro box that the user was logging on through. I am uncertain as to the exact cause(s), but recreating the user object has resolved the issues for users experiencing this. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 9:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADU&C connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the "Nt Domain" and the "Active Directory Domain" are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockouts in mixed mode
I have seen this happen with persistent mapped drives. I don't recall the exact details but I believe it occurred after the user changes their password. When the persistent drive mappings were made, the user did a "Connect As" and supplied their user ID and password. Now the persistent mappings are trying to connect with the old password, causing the account to lock out. This may be totally off-base but is the best I can recall. Jim -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 11:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADU&C connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the "Nt Domain" and the "Active Directory Domain" are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockouts in mixed mode
Actually, we have seen similar issues in our mixed mode domain. Sometimes, it seems that there is a sync problem between pdc and bdc's. Other times, we have no clue why it is occuring to an individual over and over again. We have even gone so far as to delete and recreate accounts in AD for users experiencing repeated lock-outs. The only common thread seems to have been their accessing exchange through outlook. Users could log in after their account was unlocked, but later in the day they would be locked out again. Passwords were not being cached at all, and it was almost always a Win2kPro box that the user was logging on through. I am uncertain as to the exact cause(s), but recreating the user object has resolved the issues for users experiencing this. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 9:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADU&C connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the "Nt Domain" and the "Active Directory Domain" are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockouts in mixed mode
We have 5 domains in our environment, but only one has a three lock out scenario like yours. We are in Native mode and I have witnessed this. A first I blamed it on user error, since the help desk for that area is not up to par. Then one day it happened to me. I hadn't logged in to the domain in some time and once I did, I was locked out on one attempt. Unfortunately, I don't have a cure. I wanted to let you know that the mixed mode might not have anything to do with it. Please let us know if you find anything. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 8:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADU&C connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the "Nt Domain" and the "Active Directory Domain" are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Account Lockouts in mixed mode
We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADU&C connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the "Nt Domain" and the "Active Directory Domain" are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/