RE: [ActiveDir] Account lockouts
Hi, For the event ID 1083 see Q296714 and Q306091 Those may be of some help Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Friday, March 12, 2004 04:28 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Account lockouts Hi, Actually, this brings up a question I've wanted to ask for some time. Why does Event ID 1083 get logged when an account is locked out? I'm trying to understand what exactly is causing the directory is busy message. Thanks! Robbie Foust, IT Analyst Systems and Core Services Duke University Mike Hogenauer wrote: Question, We have 3 domain controllers in a single forest, single Domain environment running windows 2000 Server. I have 2 Domain Accounts that constantly get locked out. I keep getting this error, even after checking LDAP for duplicate accounts, I've moved the user account to a different OU and forced replication, etc. Also checked Microsoft KB, tried all suggestions. I've also had the user log off all terminal sessions, manually change the account password and then forced replication. I'm close to deleting and recreating the account. Thanks in advance for any help! Mike Event Type: Warning Event Source: NTDS Replication Event Category: Replication Event ID: 1083 Date: 3/10/2004 Time: 2:37:32 PM User: Everyone Computer: AD1 Description: Replication warning: The directory is busy. It couldn't update object CN=,CN=Users,DC=Domain,DC=com with changes made by directory 800fdc79-066f-4c5a-a1e4-e4e17a28eb47._msdcs.renditionnetworks.com. Will try again later. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account lockouts
You need to enable
Audit Account Logon Events - Failures
Audit Logon Events - Failurs
Then dig through your logs looking for 681, 529, 675
@echo off
echo %computername%
echo.
set file=%computername%.csv
if not %2*==* set file=%2
@echo Writing file - %file%
dumpel -l security -m security -e 681 529 675 -d %1 -c -format dtTCIus -f
%file%
Now parse through those entries looking for logon failures. You should see
some sort of failures, a quick and dirty perl script I have to tear through
is below. Your mileage may vary but has helped us track every lockout down
to a machine so far... It does its job and it is a job we don't have to do
very often anymore so I haven't looked and cleaning up the code or making it
nice or tight or anything else.
If you look on the PDC and it points at another DC that generally means it
is a pdc-chain so you need to dump the logs on that DC and scan them as
well.
I usually run this script like
Getinfo domaincontroller.csv | findstr /I userid
foreach ()
{
chomp;
s/\\//g;
@a=split/,/;
$date=$a[0];
$time=$a[1];
$code=$a[4];
$idfield=$a[7];
$user=;
$domain=;
$workstation=;
$error=;
if ($code eq 681)
{
if
($idfield=~/MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\s+([`=\$\w\.-]+?)\s+([`=\$
\w\.-]+?)\s+(\d+)/i)
{
$domain=local;
$user=$1;
$workstation=$2;
$error=$3;
}
else
{
print \aNOMATCH: $_\n;
next;
}
}
elsif ($code eq 675)
{
if ($idfield=~/([`=\$\w\.-]+?)\s+.+?krbtgt\/(\S+).+\s+([0-9.]+)/i)
{
$domain=$2;
$user=$1;
$workstation=$3;
$error=---;
}
else
{
print $idfield\n;
}
}
elsif ($code eq 529)
{
if ($idfield=~/([`=\$\w\.-]+?)\s+([`=\$\w\.-]+?)\s+3
(NtlmSsp|Advapi)\s+.+\s+([`=\$\w\.-]+)/i)
{
$domain=$2;
$user=$1;
$workstation=$4;
$error=$3;
}
elsif ($idfield=~/([`=\$\w\.-]+?)\s+3
(NtlmSsp|Advapi).+\s+([`=\$\w\.-]+)/i)
{
$domain=local;
$user=$1;
$workstation=$3;
$error=$2;
}
elsif ($idfield=~/([`=\$\w\.-]+?)\s+([`=\$\w\.-]+?)\s+2 User32
.+\s+([`=\$\w\.-]+)/i)
{
$domain=$2;
$user=$1;
$workstation=$3;
$error=User32;
}
else
{
print \aNOMATCH: $idfield\n;
# STDIN;
next;
}
}
else {print [$_]\n;};
print $date;$time;$code;$error;$domain\\$user;$workstation\n;
}
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Thursday, March 11, 2004 1:39 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Account lockouts
Question,
We have 3 domain controllers in a single forest, single Domain environment
running windows 2000 Server. I have 2 Domain Accounts that constantly get
locked out. I keep getting this error, even after checking LDAP for
duplicate accounts, I've moved the user account to a different OU and forced
replication, etc. Also checked Microsoft KB, tried all suggestions. I've
also had the user log off all terminal sessions, manually change the account
password and then forced replication. I'm close to deleting and recreating
the account.
Thanks in advance for any help!
Mike
Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1083
Date: 3/10/2004
Time: 2:37:32 PM
User: Everyone
Computer: AD1
Description:
Replication warning: The directory is busy. It couldn't update object
CN=,CN=Users,DC=Domain,DC=com with changes made by directory
800fdc79-066f-4c5a-a1e4-e4e17a28eb47._msdcs.renditionnetworks.com. Will try
again later.
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account lockouts
All Clients are either Windows 2000 Pro or XP Pro. XP Pro is on the Client I'm most worried about... -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Account lockouts Mike, what OS is the client running? mc List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account lockouts
Robbie Foust mused on Thursday, March 11, 2004 7:28 PM: Hi, Actually, this brings up a question I've wanted to ask for some time. Why does Event ID 1083 get logged when an account is locked out? I'm trying to understand what exactly is causing the directory is busy message. If it's just randomly ocurring, as far as lockouts go, I'd chalk it up to collisions caused by urgent replication http://support.microsoft.com/default.aspx?scid=kb;EN-US;306091 The following events may be logged if immediate replication is triggered (for example, by an urgent replication for a user lockout condition) and collides with the local Active Directory update: Event Type: Warning Event Source: NTDS Replication Event Category: Replication Event ID: 1083 Description: Replication warning: The directory is busy. It couldn't update object CN=... with changes made by directory GUID._msdcs.domain. Will try again later. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account lockouts
Mike, what OS is the client running? mc List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account lockouts
I should have expanded on my reason for asking about the clients. As soon as we went to SP4, we were getting a lot of these lockouts, all on Win9x clients (we don't have any NTW). W2K and above were fine. I called MS Support and they gave me a new version of the AD Client. With that installed, the problem was fixed. No issues since. Sup Services said this new version of the client fixed a lot of lockout issues. Obviously, this isn't the solution if Mike only has W2K and/or WXP clients. mc List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Account lockouts
If you have security logging enabled use eventcombmt http://support.microsoft.com/default.aspx?scid=kb;en-us;824209 On Mar 11, 2004, at 2:02 PM, Lou Vega wrote: Another thing to check is that that user (or users) do not have any services running (or attempting to run) using those accounts. I've seen that happen before. What happens is they change their user account password but forget to update it in the services property page - then the service just bangs away at it with the old one. r/ Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, March 11, 2004 1:39 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account lockouts Question, We have 3 domain controllers in a single forest, single Domain environment running windows 2000 Server. I have 2 Domain Accounts that constantly get locked out. I keep getting this error, even after checking LDAP for duplicate accounts, I've moved the user account to a different OU and forced replication, etc. Also checked Microsoft KB, tried all suggestions. I've also had the user log off all terminal sessions, manually change the account password and then forced replication. I'm close to deleting and recreating the account. Thanks in advance for any help! Mike Event Type: Warning Event Source: NTDS Replication Event Category: Replication Event ID: 1083 Date: 3/10/2004 Time: 2:37:32 PM User: Everyone Computer: AD1 Description: Replication warning: The directory is busy. It couldn't update object CN=,CN=Users,DC=Domain,DC=com with changes made by directory 800fdc79-066f-4c5a-a1e4-e4e17a28eb47._msdcs.renditionnetworks.com. Will try again later. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Brent Westmoreland BMW Group - Data Center Americas Business: 864.989.6567
Re: [ActiveDir] Account lockouts
Hi, Actually, this brings up a question I've wanted to ask for some time. Why does Event ID 1083 get logged when an account is locked out? I'm trying to understand what exactly is causing the directory is busy message. Thanks! Robbie Foust, IT Analyst Systems and Core Services Duke University Mike Hogenauer wrote: Question, We have 3 domain controllers in a single forest, single Domain environment running windows 2000 Server. I have 2 Domain Accounts that constantly get locked out. I keep getting this error, even after checking LDAP for duplicate accounts, I've moved the user account to a different OU and forced replication, etc. Also checked Microsoft KB, tried all suggestions. I've also had the user log off all terminal sessions, manually change the account password and then forced replication. I'm close to deleting and recreating the account. Thanks in advance for any help! Mike Event Type: Warning Event Source: NTDS Replication Event Category: Replication Event ID: 1083 Date: 3/10/2004 Time: 2:37:32 PM User: Everyone Computer: AD1 Description: Replication warning: The directory is busy. It couldn't update object CN=,CN=Users,DC=Domain,DC=com with changes made by directory 800fdc79-066f-4c5a-a1e4-e4e17a28eb47._msdcs.renditionnetworks.com. Will try again later. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockouts
This webcasthas tips that arevery helpful for troubleshooting account lockouts: http://support.microsoft.com/default.aspx?kbid=813500 Kind of long, but well worth it. Hunter From: Mike Hogenauer [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 2:37 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Account Lockouts I am having a weird lockout problem with just one account (which at this time cannot be deleted and re created) The account seems to lock itself out approximately every 20 or 30 minutes. I've tried using LDP.exe and binding to the Domain controller from where I get the event error to see if there is any duplicate entries in AD, none show up. I've also disabled any account lockout policy and this is the only account in the domain that is having the problem. Event Type:WarningEvent Source:NTDS ReplicationEvent Category:Replication Event ID:1083 I've also move the account to another OU and forced replication, still after about 20 or 30 minutes the account becomes locked out again. Any suggestions? Thanks in advance. Mike Hogenauer SR. Systems Admin Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2148 | Fax: 425.497.1149
RE: [ActiveDir] Account Lockouts
It is very likely that this account is being used as a service account and the password was changed or the service was configured with an incorrect password for this account. Another possible culprit is scheduled task. Enabling netlogon logging will help you, as described in the Account Lockout and Management Tools article I posted here last week. This is where I would start. If your Forest is not huge, I have a vbscript that can go through all the computers in your forest and find if there is a service configured to use this account. The script makes WMI calls to each computer object and queries it, so it is not very fast. Email me offline if you are interested. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mike Hogenauer Sent: Tue 10/21/2003 1:36 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts I am having a weird lockout problem with just one account (which at this time cannot be deleted and re created) The account seems to lock itself out approximately every 20 or 30 minutes. I've tried using LDP.exe and binding to the Domain controller from where I get the event error to see if there is any duplicate entries in AD, none show up. I've also disabled any account lockout policy and this is the only account in the domain that is having the problem. Event Type: Warning Event Source: NTDS Replication Event Category: Replication Event ID: 1083 I've also move the account to another OU and forced replication, still after about 20 or 30 minutes the account becomes locked out again. Any suggestions? Thanks in advance. Mike Hogenauer SR. Systems Admin Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2148 | Fax: 425.497.1149 winmail.dat
RE: [ActiveDir] Account Lockouts
I didnt notice if you mentioned whether the client is Win2K, or Win9x or If Win9x, Microsoft has a new version of the DS client that can be installed which resolves this problem. You have to contact Professional Services to get it. Mark �
Re: [ActiveDir] Account Lockouts
There are a few things that you can do. 1. Ensure all your W2K DCs have SP3. There are a few improvements/fixes in the way lockouts are communicated between DCs. 2. Have a look at the Account Lockout Status tool (ALS.EXE). This pulls information from each DC in the domain regarding the lockout status, bad pw attemtps, etc. You may need to contact your Microsoft TAM for ALS.EXE as I don't know if it has made it into the resource kit tools yet. 3. Eventcomb can be useful for grouping event information from log files on different DCs. 4. Look for Event 681 entries on the PDC Emulator DC. Have a look at http://support.microsoft.com/default.aspx?scid=kb;[LN];273499 for information on how to interpret the resulting error codes. You can use Dumpel.exe to filter the results if necessary. 5. If you have password complexity as part of your account policy then you should be able to safely increase the account lockout threshold to something nearer 15 attempts. This should reduce the burden on your help desk. Tony -- Original Message -- From: Mayet, Yusuf Y [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 2 Apr 2003 14:47:42 +0200 Hi everyone, I was hoping that you someone could help me out with this: We have a mixed environment of W2K DC's and there is a requirement from our Systems Support Centre to track Account Lockouts. As this can take place on any DC I was wondering if someone out there was using a tool to interrogate the directory to retrieve this information from the DC that registers the lockout. At the moment we have a tedious exercise of filtering each DC's log for event ID 644. Thanks in advance, Yusuf Success is: Set high aspirations in life. The Challenge is in our minds. We are limited not by reality but by our own imaginations. __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the company. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Standard Bank. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. __ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockouts
This type of problem is easily solved if you've set the DBFlag for logon
events for netlogon. Otherwise it is almost impossible to track in an
environment with NT Desktops -- the event ends up in the event logs of
the offending desktop, not the DC. In an environment with 9x desktops,
this is still difficult to track, since the events can be in the logs of
any DC, but are not centraliuzed. Debugging netlogon, solves all that,
and is fairly easy -- only requiring a registry change on 2000 DCs.
Here are relevant articles --
http://support.microsoft.com/default.aspx?scid=kb;en-us;189541
http://support.microsoft.com/default.aspx?scid=kb;en-us;109626
Additionally, you will need to set up some method to recover the
netlogon text files and to make certain the DCs hard drive doesn't get
filled by them.
The following is a script to move the netlogon.log file when it fills.
My apologies if this gets poorly formatted in email
---
_
'Script to move a NETLOGON.LOG
'file when it reaches a certain size
'declare variables
Dim FSO 'FileSystem Object
Dim sSystemRoot 'System Root path
Dim sFilePath 'Full Path to the Netlogon.log file
Dim sWMIFilePath'Path to Netlogon.log expressed with \\
for WMI
Dim sComputer 'Target Computer
Dim oWMIService 'Windows Management Service Object
Dim colMonitoredEvents 'Collection of monitored events
Dim oLatestEvent'Trigger instance
Dim lTriggerSize'Size at which to move the netlogon.log
file in bytes
Dim lCurrentSize'Size of file currently
Dim sTargetName 'Archive file name
' - based on the lastmodified time of
the file
Dim sArchivePath'Path to archive files
Dim sTempPath 'initial path of renamed but unmoved file
Dim sTargetPath 'Full path of archive file
'initialize variables and objects
sComputer = . 'local machine
'Path to archive files
sArchivePath = \\servername\sharename\subfolder
set FSO = CreateObject(Scripting.FileSystemObject)
lTriggerSize = 67108864
'The file path is based on the system root
sSystemRoot = FSO.GetSpecialFolder(0)
sFilePath = sSystemRoot \debug\netlogon.log
sWMIFilePath = Replace(sFilePath, \, \\)
'Instantiate WMI
Set objWMIService = GetObject(winmgmts: _
{impersonationLevel=impersonate}!\\ _
sComputer \root\cimv2)
'Now create an event sink for when the file is modified
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
(SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE _
TargetInstance ISA 'CIM_DataFile' and _
TargetInstance.Name=' sWMIFilePath ')
Do
Set oLatestEvent = colMonitoredEvents.NextEvent
'Now determine if the file size is exceeded
lCurrentSize = cLng(oLatestEvent.TargetInstance.FileSize)
if lCurrentSize = lTriggerSize then
'Now our criteria are met so begin to manipulate the log
'first determine the last modified time for use as a
filename
sTargetName =
Left(oLatestEvent.TargetInstance.LastModified, _
14) .log
sTempPath = sSystemRoot \debug\ sTargetName
'Rename the netlogon.log file appropriately
FSO.MoveFile sFilePath, sSystemRoot \debug\
sTargetName
'Now move the renamed file
sTargetPath = sArchivePath \ sTargetName
FSO.MoveFile sTempPath, sTargetPath
end if
Loop
-
Then all you need to do is filter the netlogon.log files.
-Patrick R. Sweeney http://boston.craigslist.org/bos/res/8484283.html
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf Y
Sent: Wednesday, April 02, 2003 7:48 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Account Lockouts
Hi everyone,
I was hoping that you someone could help me out with this:
We have a mixed environment of W2K DC's and there is a requirement from
our Systems Support Centre to track Account Lockouts.
As this can take place on any DC I was wondering if someone out there
was using a tool to interrogate the directory to retrieve this
information from the DC that registers the lockout.
At the moment we have a tedious exercise of filtering each DC's log for
event ID 644.
Thanks in advance,
Yusuf
Success is: Set high aspirations in life. The Challenge is in our
minds. We are limited not by reality but by our own imaginations.
__
Disclaimer and confidentiality note
Everything in this e-mail and any attachments relating to the
official business of Standard Bank Group Limited is proprietary to the
company. It is confidential, legally privileged and protected by law.
Standard Bank does not own and endorse any other content. Views and
opinions are those of the sender unless
RE: [ActiveDir] Account Lockouts in mixed mode
We have 5 domains in our environment, but only one has a three lock out scenario like yours. We are in Native mode and I have witnessed this. A first I blamed it on user error, since the help desk for that area is not up to par. Then one day it happened to me. I hadn't logged in to the domain in some time and once I did, I was locked out on one attempt. Unfortunately, I don't have a cure. I wanted to let you know that the mixed mode might not have anything to do with it. Please let us know if you find anything. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 8:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADUC connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the Nt Domain and the Active Directory Domain are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockouts in mixed mode
Actually, we have seen similar issues in our mixed mode domain. Sometimes, it seems that there is a sync problem between pdc and bdc's. Other times, we have no clue why it is occuring to an individual over and over again. We have even gone so far as to delete and recreate accounts in AD for users experiencing repeated lock-outs. The only common thread seems to have been their accessing exchange through outlook. Users could log in after their account was unlocked, but later in the day they would be locked out again. Passwords were not being cached at all, and it was almost always a Win2kPro box that the user was logging on through. I am uncertain as to the exact cause(s), but recreating the user object has resolved the issues for users experiencing this. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 9:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADUC connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the Nt Domain and the Active Directory Domain are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Account Lockouts in mixed mode
Read MS Article Q263821 for the fix - Original Message - From: Bjelke John A Contr AFRL/VSIO [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 17, 2001 4:19 PM Subject: RE: [ActiveDir] Account Lockouts in mixed mode Actually, we have seen similar issues in our mixed mode domain. Sometimes, it seems that there is a sync problem between pdc and bdc's. Other times, we have no clue why it is occuring to an individual over and over again. We have even gone so far as to delete and recreate accounts in AD for users experiencing repeated lock-outs. The only common thread seems to have been their accessing exchange through outlook. Users could log in after their account was unlocked, but later in the day they would be locked out again. Passwords were not being cached at all, and it was almost always a Win2kPro box that the user was logging on through. I am uncertain as to the exact cause(s), but recreating the user object has resolved the issues for users experiencing this. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 9:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADUC connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the Nt Domain and the Active Directory Domain are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
