Tip & How-To about Computers & Internet

Understanding windows account lockups

Common Causes for Account Lockouts

This section describes some of the common causes for account lockouts The common troubleshooting steps and resolutions for account lockouts are also described in this section.

To avoid false lockouts, check each computer on which a lockout occurred for the following behaviors:

* Programs: Many programs cache credentials or keep active threads that retain the credentials after a user changes their password.

* Service accounts: Service account passwords are cached by the service control manager on member computers that use the account as well as domain controllers. If you reset the password for a service account and you do not reset the password in the service control manager, account lockouts for the service account occur. This is because the computers that use this account typically retry logon authentication by using the previous password. To determine whether this is occurring, look for a pattern in the Netlogon log files and in the event log files on member computers. You can then configure the service control manager to use the new password and avoid future account lockouts.

* Bad Password Threshold is set too low: This is one of the most common misconfiguration issues. Many companies set the Bad Password Threshold registry value to a value lower than the default value of 10. If you set this value too low, false lockouts occur when programs automatically retry passwords that are not valid. Microsoft recommends that you leave this value at its default value of 10. For more information, see "Choosing Account Lockout Settings for Your Deployment" in this document.

* User logging on to multiple computers: A user may log onto multiple computers at one time. Programs that are running on those computers may access network resources with the user credentials of that user who is currently logged on. If the user changes their password on one of the computers, programs that are running on the other computers may continue to use the original password. Because those programs authenticate when they request access to network resources, the old password continues to be used and the users account becomes locked out. To ensure that this behavior does not occur, users should log off of all computers, change the password from a single location, and then log off and back on.

noteNote
Computers running Windows XP or a member of the Windows Server 2003 family automatically detect when the users password has changed and prompt the user to lock and unlock the computer to obtain the current password. No logon and logoff is required for users using these computers.

* Stored user names and passwords retain redundant credentials: If any of the saved credentials are the same as the logon credential, you should delete those credentials. The credentials are redundant because Windows tries the logon credentials when explicit credentials are not found. To delete logon credentials, use the Stored User Names and Passwords tool. For more information about Stored User Names and Passwords, see online help in Windows XP and the Windows Server 2003 family.

noteNote
Computers that are running Windows 95, Windows 98, or Windows Millennium Edition do not have a Stored User Names and Passwords file. Instead, you should delete the user's .pwl file. This file is named Username.pwl, where Username is the user's logon name. The file is stored in the Systemroot folder.

* Scheduled tasks: Scheduled processes may be configured to using credentials that have expired.

* Persistent drive mappings: Persistent drives may have been established with credentials that subsequently expired. If the user types explicit credentials when they try to connect to a share, the credential is not persistent unless it is explicitly saved by Stored User Names and Passwords. Every time that the user logs off the network, logs on to the network, or restarts the computer, the authentication attempt fails when Windows attempts to restore the connection because there are no stored credentials. To avoid this behavior, configure net use so that is does not make persistent connections. To do this, at a command prompt, type net use /persistent:no. Alternately, to ensure current credentials are used for persistent drives, disconnect and reconnect the persistent drive.

* Active Directory replication: User properties must replicate between domain controllers to ensure that account lockout information is processed properly. You should verify that proper Active Directory replication is occurring.

* Disconnected Terminal Server sessions: Disconnected Terminal Server sessions may be running a process that accesses network resources with outdated authentication information. A disconnected session can have the same effect as a user with multiple interactive logons and cause account lockout by using the outdated credentials. The only difference between a disconnected session and a user who is logged onto multiple computers is that the source of the lockout comes from a single computer that is running Terminal Services.

* Service accounts: By default, most computer services are configured to start in the security context of the Local System account. However, you can manually configure a service to use a specific user account and password. If you configure a service to start with a specific user account and that accounts password is changed, the service logon property must be updated with the new password or that service may lock out the account.

noteNote
You can use the System Information tool to create a list of services and the accounts that were used to start them. To start the System Information tool, click Start, click Run, type winmsd, and then click OK.

Other Potential Issues

Some additional considerations regarding account lockout are described in the following sections.
Account Lockout for Remote Connections

The account lockout feature that is discussed in this paper is independent of the account lockout feature for remote connections, such as in the Routing and Remote Access service and Microsoft Internet Information Services (IIS). These services and programs may provide their own unrelated account lockout features.
Internet Information Services

By default, IIS uses a token-caching mechanism that locally caches user account authentication information. If lockouts are limited to users who try to gain access to Exchange mailboxes through Outlook Web Access and IIS, you can resolve the lockout by resetting the IIS token cache. For more information, see "Mailbox Access via OWA Depends on IIS Token Cache" in the Microsoft Knowledge Base.
MSN Messenger and Microsoft Outlook

If a user changes their domain password through Microsoft Outlook and the computer is running MSN Messenger, the client may become locked out.

In this case, since the user has multiple devices connected to the exchange at given time , if he changes the password without disconnecting the other deivices. The account would get locked. You can inform him disconnect all the devices from the exchange except for one machine to change the paswword and then reconnect other devices with new creditentials.


Thanks
Proton

Posted by on

Computers & Internet Logo

Related Topics:

Related Questions:

1 Answer

am having trouble with my account


If your facing some trouble with your account then it is better for to analyze your overall account. Check your email id and internet connection from where your website is running. If your account is not opening properly then it better that you must go through some troubleshooting steps to resolve your issue. This steps are very common like forget password, gmail is slow unresponsive or not loading.

For More Info:- http://nationkart.com/

Apr 08, 2015 | Computers & Internet

1 Answer

my memory card is indicating error in the camera yet i have been using it. why?


There are several possible causes for "memory card locked", "memory card error", or "no memory card". The most common cause is having the tiny slide switch on the side of the card in the wrong position. The second most common is trying to use a 4GB or higher SDHC card with an older camera made before SDHC format came out. There are also other common causes if the above didn't help, with troubleshooting steps for this problem listed here.

And here's a video summary of the troubleshooting steps.

Aug 31, 2012 | Cameras

1 Answer

Kodak m530 not recognising memory card


There are several possible causes for "memory card locked", "memory card error", or "no memory card". The most common cause is having the tiny slide switch on the side of the card in the wrong position. The second most common is trying to use a 4GB or higher SDHC card with an older camera made before SDHC format came out. There are also other common causes if the above didn't help, with troubleshooting steps for this problem listed here.

And here's a video summary of the troubleshooting steps:

Aug 31, 2012 | Kodak EasyShare M530 Digital Camera

1 Answer

Dear sir, some one locked my yahoo pasword how can recover my password


From Yahoo.

This message is seen when an attempt to login has failed multiple time. As a security measure, your account has been locked to prevent unauthorized users from being able to log in to it. If you have not recently tried to log in, this is not necessarily a cause for concern. Another Yahoo! user may have mistakenly used your ID when attempting to log in to their own account.
The lock on your account will expire 24 hours after it was first locked. Don't worry-the lockout time period won't reset each time you try to sign in while the account is still locked. You can try to sign in again after the lockout time has expired. Note: Yahoo! is unable to provide you with the exact time that your account was locked or when it will be unlocked.
If you are still unable to sign in with your new password, please see the password problems help page for some common reasons why you are seeing the "Invalid Password" error.

May 11, 2011 | Computers & Internet

1 Answer

im using my mobile phone to get into my yahoo messenger, but unfortunately i've encounter a reply that my my account has been locked due to too many incorrect logins. how am i going to unlock my messenger so i can use my mobile phone again to login my messenger.. pls help.


Account lockout has several means to resolvement. First, several attempts to login into an account with wrong usernames or passwords causes' temporary lockout. In a situation that the wrong entity was attempting to attain access makes the account preserved until the appropriate usernames or passwords were provided. Allowing time to capture the reconfigurations becomes the methods to recapturing lockout. Circumstance causes from accounts that have network administrators require contacting the email, phone or chat specialist to recapture missing details to an authentic user experience. Alternately, accounts that have enabled prior notifications from network administrator to reproved missing details would be emailed or contacted with new resources bout the compromised account features. In situations of urgency to recapture missing passwords or usernames requires contacting the experts or host entity to recover materials.

Mar 11, 2011 | Yahoo Messenger

Not finding what you are looking for?

493 people viewed this tip

Ask a Question

Usually answered in minutes!

Top Computers & Internet Experts

Doctor PC
Doctor PC

Level 3 Expert

7733 Answers

kakima

Level 3 Expert

102366 Answers

David Payne
David Payne

Level 3 Expert

14161 Answers

Are you a Computer and Internet Expert? Answer questions, earn points and help others

Answer questions

Loading...