NT Admin local account locked out(HOW COULD THIS BE)

[deh]

Hi,
I was talking to someone on the phone. They were at a server (NT 4.0 sp4
pdc, small domain in a small private LAN).
She claims that whan at the server she tries to log on as Administrator and
gets "Account locked out" message.
I am aware of the many utilities for cracking passwords and have as a matter
of fact cracked 2 with a Linux utility I have but that's not the issue.

My main question is:

How can
the Administrator account be getting that message? I thought this was impossible to keep the local admin account of the server off.
Just to make double sure, I tried to replicate the problem so on a practice server, same
specs same installed options I set the policies so that All users would be locked out after 3 tries
and duration would be forever.
I then purposely and continually put in the wrong password. Not once did I
get a locked out message. Once I did log on though and went to Administrator
properties Locked out was checked but it appears that this would probably
only apply when trying to log on accross the network but will still you
allow to logon locally to the server-which is what I thought should be the
case and is what happened. (Would be pretty weak if Joe Smo could just type in Administrator,
put in 3 bad passwords and ruin any chance of accessing administrator even
locally). I even tried to disable the account in user manager and it wouldn't allow me to do that either.

So why is she getting this message? She says she is indeed trying to logon
directly from the server.
Any ideas.

Note: Nothing special was added. The administrator account was not renamed. No NOVELL.

Thanks in advance,
D

PS. One of MS's own MCSE recommended I purchase a password hack utility. Ummm that wasn't the question I was asking as I even stated to her I have 2 Linux based crack utilities that I have successfully used in practice b4. Once again HOW DID THE ADMINISTRATOR ACCOUNT GET LOCKED OUT LOCAL TO THE SERVER?

 

[Kjonnnn]

Are you/she sure it just didnt say that it was LOCKED and maybe she's forgotten the password?

 

[deh]

Hi,
That's what I was thinking but I had her take a breather, called her back went back to the server. She then reported that she got the error message I was hoping for "Make sure username and password is correct.........." but turns out she mistakenly misspelled administrator. Once she corrected the spelling for administrator she once again read off to me "Account locked out".


Someone help, this doesn't make sense.

 

[setnaffa]

Well, it's not simple; but! you can remove the right to log on locally for the local admin group (see note 1)... requires a bit of work to restore...

Can anyone log on with any account? Is there a "good" backup?

In this case, there's a bit of question about any other hinky stuff like making account lockout time "0" (lockout is permanent and requires administrator to reset). Might be the server (is/has been) under attack? Has someone been playing with the System Policy Editor? I know that can affect the local admin account rather dramatically...

BTW, how long since the last scheduled maintenance/reboot? Windows, for all of the really good things, still requires more "handholding" than Unix or Novell...

I wish I had the answer; but with Windows, it's often something that rebooting fixes... check your event logs when you get the chance and try to have more than one local admin account to prevent this type of thing...


Note 1: "You May Not Remove the Local Logon Right from the Administrators Local Group" Error Message When You Edit User Rights (Q321020)

Note 2: Troubleshooting Access and Permission Problems

Choose the appropriate course of action to take to resolve resource access problems and permission problems.

If you can't log on, first make sure you are using the correct username and password. Also, make sure that the correct domain or workgroup (or the local machine) is selected in the Domain drop-down list of the Logon dialog box. If you still can't log on, try logging on using another account. If other accounts are working normally, check the settings for your account in User Manager for Domains. If you can't log on from any account, repair the accounts database by using the emergency repair process.

One of the worst culprits for logon problems is the Caps Lock key. If you (or another user) cannot log on, make sure you are not typing the password in all caps.

If a user can't access a file, a share, a printer, or some other resource, check the resource permissions. Try connecting using a different account. Try accessing a similar resource to see whether the problem also appears there. Make sure the user has spelled the name of the resource correctly.

Check the Control Panel Services application to ensure that the NetLogon service, the Server service, and the Workstation service are running properly, and then check the Bindings tab in the Control Panel's Network application to ensure that the services are bound to applications and adapters. The NetLogon service must be started on both the NT computer that you are logging in from and the domain controller that will validate your logon. This service is the mechanism that transmits and receives account name and password information and ensures that domain security can validate it.

You can also check User Manager for Domains to verify that the user's group memberships haven't changed or that a change to a group rights setting hasn't inadvertently denied the user access to the resource.

Check System Policy Editor for restrictions on the user's access to computers or other resources.

Setnaffa is an MCSE-4.0 (working on W2K) with a few other certs, too...