RE: Account lockout

["Smith, Paul C." <Paul.C.Smith () snapon com>]

If you are running NT4 domains, make sure all your DC's have not run into
max registry size limits. NT4 has a neat feature in that when the max
registry size is reached the BDC will load an older version of the SAM that
won't exceed the max registry size. The older version of the SAM may have
the older password in it.

Also, when you say you relogged on, do you leave your workstations locked
with this account, or do you log off them? Do you have any network drives
mapped when you do logon with this account?

Lastly, make sure all your BDC's are synchronizing correctly. Use the dommon
utility, which I think is from the RK to check, or use the CLI netdom query
to check the BDC's status. 

Then force a sync on the domain, wait for a minute or so, change the
password on the account and force another synch. Passwords should synch
immediatly, but if the account is logged on a machine and is using network
shares, it can cause an immediate lockout.

Also, you should restrict who uses the admin account. There should be a very
select group of people who have access to the account. Any admin functions
you need to do on any server, should be done through your personal Domain
Admin account. This will increase your ability to audit who is doing what on
the servers. If 20 people have the admin account credentials, then you don;t
know who is using it for what. If you need accounts to run services, create
new accounts, and give those accounts only the permissions they need to do
their job. If a server needs to remained logged on because an application
cannot run as a service, create a local account on that machine to run the
application under, if the account doesn't need network access, and limit who
knows that account.

Best of luck, sounds like you have some work ahead of you.

Paul



-----Original Message-----
From: Alex Tarata [mailto:atarata () bigpond net au]
Sent: Saturday, January 11, 2003 10:42 PM
To: security-basics () securityfocus com
Subject: Account lockout


Hi all,

Im not sure if this is the right place to post this but anyway here it goes:
recently at our organization we have changed an admin password on the domain
controllers and we had to reboot all the servers involved and relog them
with the new password. All went good apart from some small things we have
managed to solve. The problem occured when some guy changed the password on
the DCs again thinking the password was wrong. When he found out that the
password was indeed right he changed it back to what it was initially. Now
we are experiencing problems with account lockouts very often. What I am
thinking is that the servers might need to be rebooted and relogged with the
password AGAIN. Is this true or should I look for another cause of the
lockout ?

Just to make more clear what we did when we changed the pass is: we changed
the pass on all the scripts using that account, checked all the services
using that account, checked all the web, SQL services that could be using
that account and also the scheduled tasks.

But obviosly there is something wrong as the account is still being locked
out. If you have any ideas please mail me as this is very important and I am
running out of ideeas.


Regards,
Alex