Joining a Windows 2000 Domain – User Account Lockout

LukeQuake

We have a machine based in a remote office which had to be rejoined the Domain. I talked an end user through how to do this but their account didn’t have local admin rights. Therefore, I reset my account details (which is a member of the domain admins group) and gave the user the password (bit of a bodge but it’s a loooong story). He then proceeded to join the machine to the domain / reboot and everything appeared to be working correctly. Shortly after this I changed the password on my account and proceed to carry on with my daily work. Now every time a user logs into this machine my domain account becomes locked out?!

Any ideas why / how this could of happened?

Thanks in advance,

Regards,

Luke

Cessation

It seems as though the machine still uses your account and password(that you provided to the user). And since you have since changed the password the machine still uses the old and locks you out.
Kind of tricky and im not sure of exactly which process is doing it (sorry).

I have had almost the same problems.
We use local account computers for our external users and have them use a vpn connection to check email and share drives.
Its not that bad and would maybe reccomend it.

I know it doesnt help all that much, so im sorry.
Goodluck!
Cess

bighornsheep

why dont you create the object for the computer in AD, so the user doesnt need an account to join the domain?

LukeQuake

The computer object is already there, I just wanted to reset it because we were having another issues and it appeared to be related to domain trust.

Hmmm... the machine is correctly joined to the domain and other users can login etc, but everytime they do my account gets locked out!

I've checked all of the services "Log on as" and Scheduled Tasks - non are running under my accounts security context.

jescab

Is there anything in the Event Viewer.........

sprkymrk

Try to delete your administrative profile on that machine. You can do it remotely like this:

delprof /p /c:\\computername /d:1

This will run through the computer profiles on the computer that have not been used for 1 day and prompt you to delete them, to which you can answer yes or no (Y/N). I'm not sure if it will help but it's worth a shot.

LukeQuake

Already deleted all of the profiled and no there is nothing helpful is any of the event logs. I checked both the DCs and the machines, no failed attempts / errors.

Confused as I am yet?

sprkymrk

LukeQuake wrote:

Already deleted all of the profiled and no there is nothing helpful is any of the event logs. I checked both the DCs and the machines, no failed attempts / errors.

Confused as I am yet?

Being a domain account, is there anything in the DC event logs?

Oops, guess you already checked that. Sorry!

sprkymrk

Any chance the user is covertly attempting to log on with the admin credentials you gave him? Maybe he thinks he forgot the password and has been attempting to "remember" it and trying to log on every so often?

LukeQuake

Hmmm, I don' think so as the user is a well known member of the company and highly respected. I tested it today and it locks out as soon as someone logs into that machine.

mzgavc

Is the machine an XP machine in a 2000 domain?

LukeQuake

XP SP2 on a 2000 domain yes.

dan_9141

Not sure if this will help you but...

MS has a set of tools that can be downloaded called "Account lockout tools"

The item that may help you to determine the issue is: ALockout.dll Tool

The ALockout.dll tool and the Appinit.reg script are included in the ALTools package. ALockout.dll is a logging tool that may help you determine the program or process that is sending the incorrect credentials in an account lockout scenario.


http://technet2.microsoft.com/WindowsServer/en/library/b4145d9a-c4aa-4e0d-b5bc-cb14c7ff69cd1033.mspx?mfr=true

Can be downloaded here:

http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

mzgavc

Try doing this.

Control Panel--->User Accounts--->Advanced Tab--->Manage Passwords


Delete any reference to you.

LukeQuake

Thanks peeps, will try this tomorrow!

LukeQuake

mzgavc wrote:

Try doing this.

Control Panel--->User Accounts--->Advanced Tab--->Manage Passwords


Delete any reference to you.

No passwords stored here, any other thoughts? :S

sprkymrk

Pick one. Just some ideas off the top of my head:

1. Move computer back to workgroup, reboot. Delete computer account in domain. Recreate (pre-populate) computer account in the domain and change "Join computer to domain:Default Domain Admins" to the user account of a user you can talk through the process of joining the domain again or else go onsite and do it yourself.

2. Reimage computer.

3. Copy the user account being locked out, modify the name slightly, and then delete the account that is being locked out.

I listed these in the order of my own preference. Let us know the outcome of whatever you try.

Oh, one more thought. You said you checked the services for stuff running under that account. What about scheduled tasks?

Cessation

LukeQuake wrote:

mzgavc wrote:

Try doing this.

Control Panel--->User Accounts--->Advanced Tab--->Manage Passwords


Delete any reference to you.

No passwords stored here, any other thoughts? :S

I wonder if it would be the same is this....

Start / Run / control keymgr.dll

Delete all references in there.

Hope this works if its not the same.

LukeQuake

sprkymrk wrote:

Pick one. Just some ideas off the top of my head:

1. Move computer back to workgroup, reboot. Delete computer account in domain. Recreate (pre-populate) computer account in the domain and change "Join computer to domain:Default Domain Admins" to the user account of a user you can talk through the process of joining the domain again or else go onsite and do it yourself.

2. Reimage computer.

3. Copy the user account being locked out, modify the name slightly, and then delete the account that is being locked out.

I listed these in the order of my own preference. Let us know the outcome of whatever you try.

Oh, one more thought. You said you checked the services for stuff running under that account. What about scheduled tasks?

All ready checked the services and scheduled tasks! (first thing I did). I'll try the first option I think as reimaging won't make a different IMO and I don't really want to rename my user account!

Thanks for all the help!

sprkymrk

LukeQuake wrote:

I've checked all of the services "Log on as" and Scheduled Tasks - non are running under my accounts security context.

LukeQuake wrote:

sprkymrk wrote:

Oh, one more thought. You said you checked the services for stuff running under that account. What about scheduled tasks?

All ready checked the services and scheduled tasks! (first thing I did).

Dang, that's twice in this thread I've done that. Sorry!

LukeQuake

hehe, no problem! I appreciate all the help, this issue has really got me stuck.

LukeQuake

Right i've deleted all of the local profile (every single one) and it's still happening!!!!! Guess it time to rejoin the machine to the domain but completely remove it from AD rather than just resetting it.

Any other ideas? :S

keatron

Any chance there is a network share that his computer is accessing via your account information?

LukeQuake

Potentially yes, but I only used my account one time to join the machine to the domain...

hmmm

LukeQuake

Rejoined the computer to the domain using a test account and this is STILL happening....

I'm seriously running out of ideas here, hmmm

sprkymrk

In local security policy is there any NTLM settings that might be causing it? LAN Manager authentication level set incorrectly?

Time to move to step #2.....

LukeQuake

I had a bit of a brainstorm this morning. I remembered that on the same day that I was troubleshooting the original issue my PC crashed. At the time I had a RDC open to one of our DCs. True enough this RDC was still open but disconnected (we never configured a timeout period on this box). I logged the session off and so far so good, my account hasn't locked out!

Boy am I kicking myself now! - You've gotta love IT

sprkymrk

Glad you posted the answer. So many times these threads end up hanging with no apparent resolution from the OP.

Glad you got it figured out.

malcybood

*****EDIT***** I was beaten to it.....ah well

1. I would firstly try doing a system restore on the XP machine to the restore point before you logged in through the domain.

2. Failing that I would reimage the machine

Failing that (I'm more of a Novell Monkey and use console1 and nw admin so sorry if I'm way off), but.....................................

3............... could you not try a complete account recreation of your domain account (might be slightly diff for AD but you get the jist)

- back up exchange account & data on mapped drives
- removing your own domain login account from the network in Active Directory,
- recreate account then link/import exchange account & home/mapped drives to newly created domain account

You didn't say if you had reimaged the machine? I would definately try system restore first then reimage before doing an account re-creation

Malc