Random Account Lockout

[gfunk123]

Really strange one this. Monday morning, between 20 and 30 accounts decided to lockout 'Account disabled in user manager' for no reason. There was no major (or even minor) network change over the weekend. when the users password is reset, it immediately locks out again up to three times then it will be ok for a day or two and then the problem will reappear. I have actively witnessed this occurring without the password being entered incorrectly, so its not that. Has anybody got any idea what is going on?

Cheers

 

[epohl]

Has you reviewed the event log on your PDC to see if anything strange is occuring. Also you might want to see if this article applies to your problem.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q191828

 

[rjbj]

I sympathize with you. Had this problem months ago. The solution is: Go to User Manager for Domains\Policies\Account. If you have "Password Never Expires" with the dot in it then you cannot have "Users Must Logon in Order to Change Password." This Account disabling will only happen to the users who have a Check Mark next to "User cannot change password" in their account properties. Hope this answers your question.

 

[gfunk123]

thanks but we have a 45 day change policy, so we dont have that conflict. interesting development though, it is now locking people out whilst they are logged in. For example, they will log on successfully in the morning and at lunchtime lock their screens. Upon return they will call us saying the cant get back in. In user manager 'account disabled' is checked. We then have unlock their screens with an admin password subsequently losing all unsaved work.

Any ideas anyone

 

[gfunk123]

I havent confirmed this yet, but I have had 2 cases of this happening today, both of whom had changed their password earlier on in the day (scheduled 45 day change) . Could it be possible that the two are linked?.

Also, as a temp measure, I have disabled account lockout in user managers account policy screen. Will this stop the problem or am i asking for more trouble by doing this?

My User Manager account policy settings have historically been as follows

Max password age = expires in 45 days
Min password age = Allow changes immediately
Min password Lenghth = at least 6 characters
Password Uniqueness = remember 10 passwords
Account lockout = after 3 bad attempts
reset count = after 90 minutes
lockout duration +forever until admin unlocks
Forcibly disconnect when logon hours expire = checked
users must logon to change password = un-checked

any further help would be greatly appreciated

Thanks

 

[gfunk123]

Sorry, one more thing here is one of the hundreds of similar entrys in our PDC's security log if it helps at all

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Date: 14/01/2002
Time: 16:54:49
User: NT AUTHORITY\SYSTEM
Computer: HCCPDC01
Description:
User Account Locked Out:
Target Account Name: xxxxxx
Target Account ID: S-1-5-21-1991784751-766789605-313073093-2013
Caller Machine Name: \\PCHCK248
Caller User Name: SYSTEM
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E7)

 

[epohl]

gfunk,

Just curious, are you running SMS 1.2 on your network?

 

[gfunk123]

No, were running SMS 2.0 service pack 3. I read that article that you linked to above and i couldnt find anything relative on there. Do you think SMS 2 could also cause a problem?

 

[epohl]

I think it could be some type of service/application etc.. that is trying to logon with their old password and causing it to be locked out. When you go through the security log on the domain controller do you see logon failure events for those accounts before they are actually locked out?

 

[gfunk123]

No, it just goes straight to the lockout , i literally have hundreds of consequetive entries in the security log each one an 'error 644' with no logon failureentries at all. Do you know what the 'caller machine name' entry in the log is, is it the machine that the lockout was initiated from?

Also just looked through the log and the SMSservice account got locked too , have just unlocked it

 

[epohl]

I really think SMS might have something to do with your problem. Can you kill all SMS services on one of the workstations and see if the account still continues to be locked out? Caller Machine name should in fact be the machine where the lockout was initiated from (ie the failed logins came from this machine.)