 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Small Business Server / SBS 4.0 & 4.5 / July 2004Security log chaos -
This one has been bugging me for quite some time. I have people on Win9x boxes who keep getting their accounts locked out for reasons beyond me. 1st I thought it might be a timing server issue (which it might still be) Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 681 Date: 7/20/2004 Time: 1:09:28 PM User: NT AUTHORITY\SYSTEM Computer: SLS-SERVER Description: The logon to account: XXXX XXXXXXXXX by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: \\XXXXXXXXXXXXXXX failed. The error code was: 3221225578 and then Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 7/20/2004 Time: 1:09:28 PM User: NT AUTHORITY\SYSTEM Computer: XXXXX-SERVER Description: Logon Failure: Reason: Unknown user name or bad password User Name: SSSSSSSSSSSSSSSSSS Domain: DomainName Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: \\XXXXXXXXXXXX and then Event Type: Success Audit Event Source: Security Event Category: Account Management Event ID: 644 Date: 7/20/2004 Time: 1:14:53 PM User: Everyone Computer: XXXXX-SERVER Description: User Account Locked Out: Target Account Name: XXXXXXXXXXXXXX Target Account ID: XXXXXXXXXXXX\XXXXX Caller Machine Name: \\XXXXXXXXXXXXXXXX Caller User Name: XXXXXX-SERVER$ Caller Domain: DomainName Caller Logon ID: (0x0,0x3E7) and then Event Type: Success Audit Event Source: Security Event Category: Account Management Event ID: 642 Date: 7/20/2004 Time: 1:14:53 PM User: Everyone Computer: XXXX-SERVER Description: User Account Changed: Account Locked. Target Account Name: XXXXXXXXXXXXXXXX Target Domain: Domain Name Target Account ID: XXXXXXXX\XXXXXXXX Caller User Name: XXXXXXX-SERVER$ Caller Domain: Domain Name Caller Logon ID: (0x0,0x3E7) Privileges: - then the account has to be unlocked. Anyone have any ideas? It is a bothersome event. TK Follow-up: ****************** I have scanned the server for viruses from MANY sources and have come up with negatives everywhere. This only happens to 9x series machines. I have a time script running on startup to synch the time to the server, that is about all I have done to these things besides stock and SP's. Help. TK Travis, After how many attempts does your domain is set to lockout an user account? The error code displays that: User logon with misspelled or bad password On win9x boxes i have seen, that the first logon attempt is not accept and a domain logon error is displayed at the client, after which they try a second time and then logon does occur. I found that the problem was related to win9x machines not getting the correct wins server addresses from the dhcp scope options. Can you check that wins is installed correctly on your server and name resolution does occur correctly at the workstation (win9x does not work with dns name resolution). Also this problem can occur with the server trying to connect to the client with Kerberos authentication, which is something that a standard win9x can not deal with. You should install the Active Directory client for win9x pc's. This client you can find on one of the server installation cd's or on the microsoft support website. Greets, Erik. > This one has been bugging me for quite some time. I have people on > Win9x boxes who keep getting their accounts locked out for reasons [quoted text clipped - 93 lines] > > TK Thank you for the information Eric, Lockout is set for 5 attempts right now, it was 3 attempts. I did not know about the AD client for the 9x boxes. As for WINS, I do not have it setup on the server at all. DNS only. I ALSO did not know that DNS did not work properly for 9x boxes. MAn o MAn. Anyways, I will try installing the AD client for the boxes and see what happens. >Travis, > [quoted text clipped - 116 lines] >> >> TK Hi Travis, You might want to disable smb signing. Have a look at www.smallbizserver.net, sbs 2000, workstations. Of course the winipcfg on those W98's should point to the server-IP for everything. Wins should be installed on the server and the Scope option 046 should have 0x8.  SignatureRegards, Marina Microsoft SBS-MVP > This one has been bugging me for quite some time. I have people on > Win9x boxes who keep getting their accounts locked out for reasons [quoted text clipped - 93 lines] > > TK Thank you for the information MArina, I am going to install the AD clients on the 9x boxes and see what happens. I dont use DHCP in this office I actually dont like DHCP and setup all the clients static. Thanks for the information. Travis Kwekkeboom >Hi Travis, > [quoted text clipped - 3 lines] >everything. Wins should be installed on the server and the Scope option 046 >should have 0x8. > Thank you for the information MArina, > > I am going to install the AD clients on the 9x boxes and see what > happens. I dont use DHCP in this office I actually dont like DHCP and > setup all the clients static. What's the reason behind that? Since you need to install and configure WINS as you have Win9x clients, it would be a simple matter to roll it out to workstation IP configs if you did have DHCP. I personally use DHCP even in tiny offices - I don't like keeping track of statics, and don't see any real downside to DHCP. > Thanks for the information. > [quoted text clipped - 7 lines] >> for everything. Wins should be installed on the server and the Scope >> option 046 should have 0x8. My office is really small. 15 boxes total with 3 servers. I used to not have ISA up and running and relied on my router and firewall for protection (something that changed about 3 years ago) and I would setup the individual boxes static to be able to forward them through the firewall and router easier and it just stuck. I would use DHCP if there were more advantages to it that I am unaware of. I just think that if I am currently having issues with static IPing, Dynamic might be worse. Does that make sense? >> Thank you for the information MArina, >> [quoted text clipped - 19 lines] >>> for everything. Wins should be installed on the server and the Scope >>> option 046 should have 0x8. Hi Trever, No, not really. DHCP really is a no brainer and it pushes all necessary setting for DNS and WINS too. So if you would have to change anything on your server, you don't have to go with the sneakernet to make those changes on the clients yourself. Servers and printers and stuff like that should have static IP's. SignatureRegards, Marina Microsoft SBS-MVP > My office is really small. 15 boxes total with 3 servers. I used to > not have ISA up and running and relied on my router and firewall for [quoted text clipped - 30 lines] > >>> for everything. Wins should be installed on the server and the Scope > >>> option 046 should have 0x8. Well, the one workstation is not attaching to the domain now .. since I installed the dscript.exe ... dandy, now I have no idea what it is doing. As far as I can tell the WINS is setup properly .. it can see people etc.. I hate this ... What is still happening, is people are still being kicked out, it would seem randomly. see previous posts for event log entries. This does not make sense to me .. I am wondering if I should re-OS the Damned SBS box. At one time we were trying to do some VPNing and there were some registry changes made with M$ support. So I think I should just backup everything and RE-OS. I HATE THIS. >Hi Trever, > [quoted text clipped - 3 lines] >on the clients yourself. >Servers and printers and stuff like that should have static IP's. Hi Travis, Can you post the ipconfig/all from the server please? SignatureRegards, Marina Microsoft SBS-MVP > Well, the one workstation is not attaching to the domain now .. since > I installed the dscript.exe ... dandy, now I have no idea what it is [quoted text clipped - 16 lines] > >on the clients yourself. > >Servers and printers and stuff like that should have static IP's. Well, apparenlty I dont know enough about the WinME environment as I thought the WinME was apart of the Win9x kernel.. apparently it is not. I can not attach an ME Box to a Domain (which I have for 2 years now) according to M$. Anyways, plan is to upgrade all boxes to XP Pro, RE-OS server and currently non-working workstation and FORGET The damned error messages I am gettin, I am thinking it is native to the makeup of WinME. BTW, I HATE M$ for creating WinME. Yet another reason for me to buy as little of their product as possible. WinME and XP Home are useless products. HATE HATE HATE .. Now that the rant is out. Thank you for all your help and I will be talking to you soon. Travis Kwekkeboom >Hi Travis, > >Can you post the ipconfig/all from the server please? >Well, the one workstation is not attaching to the domain now .. since >I installed the dscript.exe ... dandy, now I have no idea what it is [quoted text clipped - 16 lines] >>on the clients yourself. >>Servers and printers and stuff like that should have static IP's. The 'being thrown off randomly' rings alarm bells with me. Are you *SURE* there are no virus/mal-ware issues? - Does IE start with a strange home-page, and get reset to this page if you change it? What make/model of network cards do you have? Are these cards set to 'auto' for speed and duplex? What make model of switch of hubs? Do you have several hubs/switches? How are they arranged? Do you have two network cards in the SBS Server? What make/model of router? How is it attached to your Server/network? Phil Partridge philp@pebbleGRIT.demon.co.uk Remove the grit to reply run the dsclient and I get a message telling me that the application has not found WinNT SP6a and will exit. That is it. >This one has been bugging me for quite some time. I have people on >Win9x boxes who keep getting their accounts locked out for reasons [quoted text clipped - 93 lines] > >TK Strange error, did you make sure you used the dsclient.exe in the win9x directory? Also you should setup a WINS server on your network and put the ip adress of your WINS server in the TCP/IP protocol on your workstations, otherwise they won't be able to find a Domain Controller for account logon. > run the dsclient and I get a message telling me that the application > has not found WinNT SP6a and will exit. That is it. [quoted text clipped - 96 lines] > > > >TK Well I installed the dsclient9x.exe on the one WinME box and now I can't log into the domain. I tried uninstalling the client, it says it completes, restart then I get the SAME non-network login and I can't access anything. Dandy client there. ruined everything. Anyways, I am out of the office tomorrow all day and I will have to RE-OS THAT box, probably the SBS2000 server and set everything up this weekend .. not a task I was prepared to do. I am a little peeved over this. Travis Kwekkeboom >Strange error, did you make sure you used the dsclient.exe in the win9x >directory? [quoted text clipped - 102 lines] >> > >> >TK Travis, i don't know how big your knowledge is, but you really created a problem with this one. In your post you spoke about Win9x machines, not about WinME machines (you know that ME cannot be used in a domain environment? adclient or not.) If all your machines are WinME, then no adclient or WINS will help you, cause you have to wrong OS for a network domain. You should use win98se or higher (expect WinME and WinXP Home edition). See also: http://support.microsoft.com/default.aspx?scid=kb;en-us;276472&Product=winme One positive thing, probably your SBS box is ok, but the OS on the client absolutly isn't. Hopefully it's on just one box and all others are ok. See also: http://support.microsoft.com/default.aspx?kbid=288358 Greets, Erik. > Well I installed the dsclient9x.exe on the one WinME box and now I > can't log into the domain. I tried uninstalling the client, it says it [quoted text clipped - 114 lines] > >> > > >> >TK Well in the kernel end of things .. I know two kernels. NT kernel (NT, win2k, XP Home, and XP Pro) and 9x kernel (95,98/se,WinME) Usually it is assumed that 9x consists of 95/98,se/WinME. So, the ME box is dead. Dandy, well we are pushing the ME boxes towards XP Pro, so that will help. I will re-OS this box and everything should be happy, cept me. heheh. See, the only boxes that were giving me trouble were the WinME boxes, I thought I had put that in a previous post, however, if I did not I apologize. Any ideas how I can rip that DSclient.exe out? >Travis, i don't know how big your knowledge is, but you really created a >problem with this one. [quoted text clipped - 137 lines] >> >> > >> >> >TK About the two kernels you are correct, except that microsoft for some twisted reason has indeed decided to bring out WinME, which has just been a plain stuppid move. WinME is based on a win9x kernel, but just doesn't have the support build-in to logon to domains. That's why probably all of us, avoid this OS like hell. They probably did this to push bussiness networks towards Win2000 and XP Pro and you can hate them for it, but i must say i'm glad they did otherwise we would still be dealing with a lot more old win95 and 98 machines, which are just completely hell compared to win xp pro. I have no experience with ripping out the dsclient installed on winme, so best advice i can give you on this is follow the instructions in the KB article i send you in a previous post and try to delete or at least copy the mentioned files in the article from an unaffected winme machine to the "infected" box. Good luck reOSsing. > Well in the kernel end of things .. I know two kernels. > NT kernel (NT, win2k, XP Home, and XP Pro) and 9x kernel [quoted text clipped - 149 lines] > >> >> > > >> >> >TK Thanks Erik, Yes, the WinXP Home of 9x kernel. I knew it had crippled capabilities, I didnt know that this dsclient.exe would not install SOME of them and allow me to get into AD. Anyways, it is all in the past now. I have 3 WinXP Pro boxes here, 1 2k box, 2 2k servers, 1 redhat box and 7 (yes seven) ME boxes. I have had all the ME boxes on the domain for about 4 years now (back in sbs4.5 too) and I never really had any issues with them. Recently, however, they have been a nightmare. I implemented a stronger password policy (basically just upping their already old short/bad PW policy) increasing characters, controlling the amount of logins, times of, etc.. and I started getting people locked out of the network. Now, approx 8 mnths before that I had tried some VPN connecting, which brought in M$ support and they did some registry changes that I am convinced change some backend security items maybe causing my ME boxes to no longer meet the requirements for some services and being locked out. The ME clients get locked out of using printers, seing the shared folders etc.. but do NOT get locked out immediately, however, when presented with a password prompt, no matter WHAT they put in for password, they are locked out. HEHE As you can see this is a little frustrating for me. I am A+ Certified, use IIS and apache a bit, have been a Mild SBS "admin" for 5 years now. Sat for the Win2k Pro exam and did not pass. So you can see my level of knowledge. I am the technical support person here for 5 years now, I can keep clients running fine but I have never had much support from the company or my knowledge base to implement proper items. I will be upgrading the OS on the ME boxes to XP Pro in the near future, problem is, PIII machines and some of them only have 192MB of ram. Upgrading the OS AND the ram at the same time is not cost effective for us at the present. We are a small company and I do what I can with the limited resources I have. My background is graphic design and I work a lot with Adobe Premiere. Thanks for the help, Travis Kwekkeboom >About the two kernels you are correct, except that microsoft for some >twisted reason has indeed decided to bring out WinME, which has just been a [quoted text clipped - 177 lines] >> >> >> > >> >> >> >TK Hi Travis, I understand your frustration, i too have a graphics background i started 10 years ago with Desktop Publishing. Doing system administration besides that can be a real hassle these days. Greets, Erik. > Thanks Erik, > [quoted text clipped - 219 lines] > >> >> >> > > >> >> >> >TK |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.