I keep getting locked out for no apparent reason.

[anabavi]

Hello!

I'm a semi-administrator on an NT network, i.e. I don't have the right to manage my account or access the server, just manage other accounts. I'm on an NT Workstation 4.0 sp6 and since Monday morning I get locked out of my account several times a day. Of course, since I'm not a full-fledged administrator I cannot unlock my account.

I've spoken with the network administrators and they can't figure anything out. For example, I just tried to log in to a second machine and found I was locked out after entering my login info only once, not three times which is our lockout threshold. I called up the LAN team and they said their log showed my account was locked out when I logged onto the other machine, not before.

Usually this happens when either I work on a user's machine and they forget to change the username field and just type their password, locking me out, or I map to a drive from their account and forget not to make it persistent; When they log back in my login tries to map all these drives.

When I am locked out I can still access my mail, access some network drives, access User Manager, etc. Except for once I was never completely locked out but I wasn't able to log off and log in again. This morning I had my account unlocked and consecutively logged on and off my machine five times without a problem. I disconnected all my network drives and let the login script remap them just to make sure I didn't map them incorrectly. No problem at all, but give it a couple hours or so and I get locked out again.

SO . . . what the heck is going on here? I'd appreciate help or sympathy. Thanks.

 

[ShackDaddy]

Anabavi, I can imagine how frustrating this is, but I would sympathize even more if I could clear something up...

How can you say that you are:

1. Using NT Workstation
2. Getting locked out
3. Still able to access network drives and mail?

What I interpret as being locked out is unable to get beyond the logon dialog. What are _you_ meaning? Do you mean that you are logged on to one machine, and then locked out of another, but can still access resources on the first machine? If so, that's normal, since your logged on machine has a valid logon token that allows you access to all your standard resources without checking your lock-out settings in the main database. What error message do you get that leads you to say to yourself, "Damn, not again!"? Answering this will help us diagnose the problem.

 

[anabavi]

I understand the paradox. I don't get it either.

I log on error-free to one machine. I may log onto another machine error-free. I reboot the second machine and find my "account is locked out". I go to my first machine and try to access a particular network drive and it's not accessible. My mail still works though because I started Outlook before my account was locked out.

Maybe one server is locking me out? maybe? I have no idea. I literally have partial access when this happens. One thing is constant: when I get the message that I'm locked out I am unable to reboot and log into any machine, even my own.

I hope that helped.

 

[ShackDaddy]

One possible reason might be that the administrators in your domain royally jacked up the domain controller's account synchronization, and one of the domain controllers that *sometimes* authenticates you has a different password on file for you than the other(s) do(es). That would cause this problem.

Or one of the two machines isn't actually connected to the network and is using cached information about your password (which may not be correct) and thus you may be able to log on to one and not to the other.

Something more we need to know is whether another account can be used to log on to the two machines repeatedly with no problems, and whether the problem extends beyond just your own account. Have a new account created in the domain and try logging on with it on both workstations. If one of them isn't really on the network, that will come out then, and if you have a lame BDC, that might turn up as well.

 

[Airforce1]

I have this same problem with 1 user out of dozens. She is on W98 logging to a W2K CD. She is using her PC, and bame, she is locked out of the network. I check AD, and sure enough, the box is checked "Account is locked out". I have unlocked her account only to have it lock again within one minute even though she has not even been sitting at the PC!!

 

[Norwich]

Sounds like the NT system is configured to lock-out/disable acoounts on 'X' number of failed attempts for any particular user.

Thees failed attempts could be other users trying to log on to their accounts with their passwords but your username - after having used that workstation yourself.

To check this, provided the domain controller is configured to log security events, use the PDC's event log to look out for and identify the source of failures for your account in the security log.

Another cause of this could be the presence of services or applications that have been configured to use your account name in NT authentication but have not been updated with altered passwords.

I have also know MS Proxy Server to cause these failures when it's configured for user authentication and a browser connection remains open when a users password is changed - IE carries on using the old password previously authenticated but proxy fails in it's own authentication.

Without an NT box to hand, I can't recall if this failure limit is just a global setting or can be disabled on a per user basis (aside: even when global, it never effects the status of the administration account).

Norwich