Account lock-outs on AD.

Bleek · 18 Jan 2010 at 11:12

Our support desk has been experiencing a number of consistant account lock-outs for some time now, it appears to be the same users all the time of which there are around 10.

The other 400+ users don't experience the problem.

This is a Windows 2003 AD Domain with around 55 DC's, the above users with problems aren't using the same DC to authenticate.

Any ideas where to look or what to look at because event logs don't really reveal anything and our Windows engineers have run out of ideas? :confused:

Bleek · 18 Jan 2010 at 11:47

Pea0n said:
Had a similar thing with accoutns being locked out in this situation as they were trying to authenticate with a proxy server on another domain. This kept failing transparently and locked the accounts out

- Pea0n

How did you go about diagnosing and fixing that, it could possbily be happening to us as it does seem related to intranet access (i.e. that's the first thing they lose and hence realise they're locked out)?

Bleek · 18 Jan 2010 at 11:54

I'd be surprised if Kaspersky Enterprise didn't pick that up?

We've had a suggestion that setting the 'Account Lockout Threshold' to 3 is too low as Microsoft recommend 10?

Bleek · 18 Jan 2010 at 15:20

the_chicco said:
How many DC's??!

I take it that it's part of a far larger network / domain / schema?

One Forest, one domain, 40+ sites with typically 1 DC, 3 DCs at HO, 2 at DR. Around 300 Windows servers in total.

Bleek · 19 Jan 2010 at 08:54

Deathwish said:
You have 400 users and 55 DCs?

Do you have ActiveSync / Exchange? We usually find that users change their domain password but forget their PDA.

Remote sites are WAN linked over 1mbit, 10mbit or 100mbit 1-to-1 lines, each satellite office has it's own DC which doubles as file and print.

Exchange 2003 yes, ActiveSync no. We use BES.

Bleek · 19 Jan 2010 at 08:55

Baz said:
Ouch, thats a lot of DC's

Too many DCs spoil the broth?

The plan is to upgrade the domain to 2008 with RO DCs at remote sites.

Bleek · 19 Jan 2010 at 08:56

hoppyintheuk said:
I've seen Conficker cause havok on peoples networks. Make sure you antivirus/windows is uptodate, thats for sure.

I'll have a word with our security team but I do know they push out new AV the day it's released, which is practically every other day!

Same goes for patching which is handled by a third party app but managed by security team.

Bleek · 19 Jan 2010 at 15:32

We may have found something, it seems that Acrobat updater is running on the user PCs with the problem. Perhaps it's an account caching issue with this updater? We've disabled it for now and will see if it makes any difference.

Bleek · 20 Jan 2010 at 09:58

Felix said:
Is there any services using their credentials with old passwords?

IE they have updated their password but not amended this on any service that run on PCs or servers.

We think we may have found the culprit, all the machines in question have Acrobat updater running in the background so we've had service desk disable it as they find it. Fingers crossed it's that simple!

Bleek · 20 Jan 2010 at 12:49

s0ck said:
Was there credentials stored in it? :s

Don't know but one would assume so if it's causing account lock-outs!

Bleek · 21 Jan 2010 at 11:27

Yeah a copy of that script would be very handy!

Bleek · 21 Jan 2010 at 18:51

Doesn't work for me, it says there are 0 errors/account locks in the logs of all the DCs.