RE: Account lockout

["Benjamin Meade" <ben () lanwest com au>]

I had something close to the same problem, where one of my desktop
machines was locking out an account on our file server, and blocking the
person who needed to use the account. I turned on logon auditing on the
server, and it gave me the machine and service that was trying to logon
to the server and locking out the account.

Benjamin Meade
Systems Administrator
LanWest Pty Ltd


-----Original Message-----
From: Smith, Paul C. [mailto:Paul.C.Smith () snapon com] 
Sent: Tuesday, 14 January 2003 10:50 PM
To: 'atarata () bigpond net au'; security-basics () securityfocus com
Subject: RE: Account lockout

If you are running NT4 domains, make sure all your DC's have not run
into
max registry size limits. NT4 has a neat feature in that when the max
registry size is reached the BDC will load an older version of the SAM
that
won't exceed the max registry size. The older version of the SAM may
have
the older password in it.

Also, when you say you relogged on, do you leave your workstations
locked
with this account, or do you log off them? Do you have any network
drives
mapped when you do logon with this account?

Lastly, make sure all your BDC's are synchronizing correctly. Use the
dommon
utility, which I think is from the RK to check, or use the CLI netdom
query
to check the BDC's status. 

Then force a sync on the domain, wait for a minute or so, change the
password on the account and force another synch. Passwords should synch
immediatly, but if the account is logged on a machine and is using
network
shares, it can cause an immediate lockout.

Also, you should restrict who uses the admin account. There should be a
very
select group of people who have access to the account. Any admin
functions
you need to do on any server, should be done through your personal
Domain
Admin account. This will increase your ability to audit who is doing
what on
the servers. If 20 people have the admin account credentials, then you
don;t
know who is using it for what. If you need accounts to run services,
create
new accounts, and give those accounts only the permissions they need to
do
their job. If a server needs to remained logged on because an
application
cannot run as a service, create a local account on that machine to run
the
application under, if the account doesn't need network access, and limit
who
knows that account.

Best of luck, sounds like you have some work ahead of you.

Paul



-----Original Message-----
From: Alex Tarata [mailto:atarata () bigpond net au]
Sent: Saturday, January 11, 2003 10:42 PM
To: security-basics () securityfocus com
Subject: Account lockout


Hi all,

Im not sure if this is the right place to post this but anyway here it
goes:
recently at our organization we have changed an admin password on the
domain
controllers and we had to reboot all the servers involved and relog them
with the new password. All went good apart from some small things we
have
managed to solve. The problem occured when some guy changed the password
on
the DCs again thinking the password was wrong. When he found out that
the
password was indeed right he changed it back to what it was initially.
Now
we are experiencing problems with account lockouts very often. What I am
thinking is that the servers might need to be rebooted and relogged with
the
password AGAIN. Is this true or should I look for another cause of the
lockout ?

Just to make more clear what we did when we changed the pass is: we
changed
the pass on all the scripts using that account, checked all the services
using that account, checked all the web, SQL services that could be
using
that account and also the scheduled tasks.

But obviosly there is something wrong as the account is still being
locked
out. If you have any ideas please mail me as this is very important and
I am
running out of ideeas.


Regards,
Alex