Domain Controller in Windows Server 2003
Home > IT Answers > Microsoft Windows > Domain Controller in Windows Server 2003
Abibam01
10 pts.
0
Q:
Domain Controller in Windows Server 2003
Windows Server 2003, Domain Controller, Windows Server User Profiles, Windows server administration
Hi, Pls I have a challenge with my Domain Controller. Recently, the DC just lock-out users' accounts ndiscriminately (i mean a user log-on today and wake up tommorrow and the account is locked out). I have to unlock users' account almost everyday. Pls what is responsible for this and what can I do?

Note: This was not happening before and I did not configure any security setting to warrant this.



Software/Hardware used:
Windows 2003
ASKED: Sep 7 2009  9:17 AM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
Labnuke99
26290 pts.
0
A:
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
  • AddThis Social Bookmark Button
By default Windows 2003 domains will lock a computer out if the incorrect password is used enough times. Sounds like someone is attempting to break into your domain through VPN, Outlook Web Access, or some other services which is exposed on the Internet.

=====================

It is very likely that there is some malware running loose on your network. We have seen the same thing happen due to virus infected machines. Take a look at my blog Tracking down that user/computer that locks AD accounts. It could take a while to track down and correct the source of the problem if you have a very distributed environment (like we do).
Last Answered: Sep 8 2009  11:35 AM GMT by Labnuke99   26290 pts.
Latest Contributors: Mrdenny   46795 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Gabe9527   2410 pts.  |   Sep 7 2009  12:33PM GMT

Have you made any changes lately to your AD environment?
Do you have any policies that could be at fault?
anything realy to help in finding the solution……

 

Gabe9527   2410 pts.  |   Sep 7 2009  12:37PM GMT

This may help you in finding out what is happening….

Account Lockout Tools
 <a href="http://technet.microsoft.com/en-us/library/cc738772%28WS.10%29.aspx" title="http://technet.microsoft.com/en-us/library/cc738772%28WS.10%29.aspx" target="_blank">http://technet.microsoft.com/en-us/libra…</a>

This will give you the following informaiton

# DC Name: Displays all domain controllers that are in the domain.
# Site: Displays the sites in which the domain controllers reside.
# UserState: Displays the status of the user and whether that user is locked out of their account.
# Bad Pwd Count: Displays the number of bad logon attempts on each domain controller. This value confirms the .domain controllers that were involved in the account lockout.
# Last Bad Pwd: Displays the time of the last logon attempt that used a bad password.
# Pwd Last Set: Displays the value of the last good password or when the computer was last unlocked.
# Lockout Time: Displays the time when the account was locked out.
# Orig Lock: Displays the domain controller that locked the account (the domain controller that made the originating write to the LockoutTime attribute for that user).

With this you might get hints as to what is doing this.

 
0