We've had similar occurances, and chased a lot of ghosts and when it's all said and done, in *every* instance it was a case of the user logging in to more than one system, even though they'll swear up and down that they aren't. Sometimes it's been a case of physically logging into more than one system, sometimes it's been because they've used their network id for a service account.
Rule #1: Don't believe a word they say. Rule #2: When in doubt, see rule #1. Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 27, 2002 6:38 AM To: [EMAIL PROTECTED] Subject: Re: NT4 Account keeps getting locked out! I past experience i have had the same problem. Solution: CAPS LOCK > > Network info: > > NT 4 server network with W2KPro clients. > > > Situation: > > We have a user that keeps getting their NT account > locked out for reasons that we are not yet aware. > Unable to get much info from Event Viewer on NT4 > servers or W2KPro client. Don't know if this is > being done by someone intentionally (somewhere on > the network or from the client's computer) just to > give us a hard time, or a rouge program somewhere on > the network or client's computer trying to logon as > that > user. At this time, we are not ruling anyone out, > everyone is suspect. We have replaced the client's > computer (not totally, user copied shortcuts and > some files back to the new desktop...I know, if it > was up to me they would not have been allowed to do > this, but it's not up to me) and the account is > still getting locked out. We are in the process of > creating a new NT account for this user and see if > it still occurs. > > > Bottom Line: > > We need to find out what is causing this account to > get locked out and prevent it from happening again. > > > Some thoughts: > > Is there third party software that will be able to > determine what is causing this account to get locked > out? Some sort of sniffing program on the server or > the client to find out what program is trying to > logon with this account and from where? > > If this is a user doing this intentionally, what are > they doing and from where? Are they trying to > connect remotely to the client?s registry, or to a > share on the > client computer? > > Is there third party software that can help? > > Any suggestions/recommendations welcome. > > > > Thanks, > Jack > > >
