Accounts being locked in Active Directory 2003
Hi there, we "upgraded" our AD from 2000 to 2003 a couple of months back and still have a few problems. User accounts seem to get locked frequently. We have an IIS app server (2003) that is supposed to use integrated authentication but I think it has problems. Whenever someone changes their pwd then trys to open the intranet app it is prompted for a pwd. Neither the new or the old one works and the account becomes locked. This sometimes happens with Outlook 2003 too. This didn't happen with AD 2000. Still running AD in 2000 mode, haven't the courage to change to 2003 native yet! Also does anyone know of any problems applying 2003SP1 to 2003 DC's?
thx!
Brian
Software/Hardware used:
Software/Hardware used:
ASKED:
April 28, 2005 12:46 AM
UPDATED:
May 3, 2005 9:26 AM
RELATED QUESTIONS
Answer Wiki:
Since no one else is taking this question, I'll give it a shot. Be forewarned, I don't know how accurate this may be. I haven't played around with IIS 6.0.
First things first: I'm assuming that you are using authentication to the Active Directory in IIS 6.0. Also, I'm assuming you are changing your passwords in the normal manner of either forcing the user to change it on logon or during a normal expiration period.
The first thing that comes to mind is that you have the group or local security policy setting of "Store passwords using reversible encryption" and/or "Do not store LanManager passwords at next password change" set. The only reason that I can see that this would cause a problem is if your IIS application is using the older LanManager authentication, however. If so, update it to use NTLM.
It could be some of the security changes in IIS 6.0 that are messing you up, but I doubt it because you are hopefully using Active Directory authentication with the previous web app.
If you have multiple domain controllers, it could be a synchronization issue between the DCs. You can force a replication using the "Sites and Services" administrative application. Otherwise, you may have to wait 15 minutes afer changing a password to use the web app.
Hope one of these puts you in the right direction.
Sonyfreek
To see all answers submitted to the Answer Wiki: View Answer History.
Sounds like you have either replication issues or you have not given the correct permissions to your app in IIS. Have you tried cranking up the app to run as the local system rather than a network service? This should tell you if your permissions are skewed. I have had issues with the permissions on the App Pool.
Otherwise look for errors in getting AD data about the place, there may be conflicts arising due to stale data.
As to 2003SP1 – it works fine if you just install it over the top, it doesn’t actually turn on the firewall or stop any services until you run the security config wizard. When you run the SCW be very careful about stuff you may need in future as it’s a snapshot tool and disables everything you are not immediately using, like the intersite transport service, for example.