Thursday, March 27, 2014

Common Causes for Account Lockouts in Windows 7


To avoid false lockouts, please check each computer on which a lockout occurred for the following behaviors:

Programs:
Many programs cache credentials or keep active threads that retain the credentials after a user changes their password.

Service accounts:
Service account passwords are cached by the service control manager on member computers that use the account as well as domain controllers. If you reset the password for a service account and you do not reset the password in the service control manager, account lockouts for the service account occur. This is because the computers that use this account typically retry logon authentication by using the previous password. To determine whether this is occurring, look for a pattern in the Netlogon log files and in the event log files on member computers. You can then configure the service control manager to use the new password and avoid future account lockouts.

Bad Password Threshold is set too low:
This is one of the most common misconfiguration issues. Many companies set the Bad Password Threshold registry value to a value lower than the default value of 10. If you set this value too low, false lockouts occur when programs automatically retry passwords that are not valid. Microsoft recommends that you leave this value at its default value of 10. For more information, see "Choosing Account Lockout Settings for Your Deployment" in this document.

User logging on to multiple computers:
A user may log onto multiple computers at one time. Programs that are running on those computers may access network resources with the user credentials of that user who is currently logged on. If the user changes their password on one of the computers, programs that are running on the other computers may continue to use the original password. Because those programs authenticate when they request access to network resources, the old password continues to be used and the users account becomes locked out. To ensure that this behavior does not occur, users should log off of all computers, change the password from a single location, and then log off and back on.

Stored user names and passwords retain redundant credentials:
If any of the saved credentials are the same as the logon credential, you should delete those credentials. The credentials are redundant because Windows tries the logon credentials when explicit credentials are not found. To delete logon credentials, use the Stored User Names and Passwords tool. For more information about Stored User Names and Passwords, see online help in Windows XP and the Windows Server 2003 family.

Scheduled tasks:
Scheduled processes may be configured to using credentials that have expired.

Persistent drive mappings:
Persistent drives may have been established with credentials that subsequently expired. If the user types explicit credentials when they try to connect to a share, the credential is not persistent unless it is explicitly saved by Stored User Names and Passwords. Every time that the user logs off the network, logs on to the network, or restarts the computer, the authentication attempt fails when Windows attempts to restore the connection because there are no stored credentials. To avoid this behavior, configure net use so that is does not make persistent connections. To do this, at a command prompt, please type net use /persistent:no. Alternately, to ensure current credentials are used for persistent drives, disconnect and reconnect the persistent drive.

Active Directory replication:
User properties must replicate between domain controllers to ensure that account lockout information is processed properly. You should verify that proper Active Directory replication is occurring.

Disconnected Terminal Server sessions:
Disconnected Terminal Server sessions may be running a process that accesses network resources with outdated authentication information. A disconnected session can have the same effect as a user with multiple interactive logons and cause account lockout by using the outdated credentials. The only difference between a disconnected session and a user who is logged onto multiple computers is that the source of the lockout comes from a single computer that is running Terminal Services.

Service accounts:
By default, most computer services are configured to start in the security context of the Local System account. However, you can manually configure a service to use a specific user account and password. If you configure a service to start with a specific user account and that accounts password is changed, the service logon property must be updated with the new password or that service may lock out the account.

Thursday, March 06, 2014

Temporary Profile issues in Windows 7

Question

I recently noticed that some of my desktop icons & files are disappeared, even I tried to create a new folder and restart the computer, it is also not there after restart, there might be it was deleted automatically. I search about this issue in internet and got the causes that ” my user profile has got corrupted. Please help me to solve it.

Solved Answer

Yes, your research goes to in a right way, this is the problem started because your user profiles has been corrupted, you have to repair it. Below we provides you a step-by-step guide to solve that issue, please follow the article instructions to solve this issue completely.

Method 1

1. Rename the temporary profile from registry

  • Start your computer and login with temp profile
  • Click on START and then type RUN in search box and then click on RUN from found results, then you will get a RUB BOX.
  • Type a command in run box “regedit” and hit enter or click on OK, then you will appear a registry edition
  • Please locate the following  path in registry editor and rename two keys (as per shown below screenshot)

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
  • You will get the similar keys under “profile list”, however one key may shows as end with “.bak”
  • “.bak” is a your original profile Example: “SID-1213428093-345618312-2235-148770.bak”
  • “Without .Bakis a your current temp profile (which currently logged on with this profile) Example:“SID-1213428093-345618312-2235-148770″
  • You have to Rename both entries
  • Rename the key “Without .Bak“, rename it and put “.temp” in the end SID-1213428093-345618312-2235-148770″
                                      to
    SID-1213428093-345618312-2235-148770.temp”
  • Rename the key with “.Bak“,  rename it and remove “.bak” from the end SID-1213428093-345618312-2235-148770.bak”
                                     to
    “SID-1213428093-345618312-2235-148770″
How to Fix Temporary Profile in Windows 7 3
  • That’s it, Now click on start and click on log off
  • After log off, restart the computer once.
  • After restart it will automatically get your old (original) profile
If the problem still persist then you have to run the check disk go to method 2.

Method 2

  • Open my computer
  • Right click on C drive (where is installed the windows), and then click on properties
  • Then a properties page will be appeared and please click on the tool tab
  • Then you will get a button “check now”, Please click on that then a another popup will be appeared
  • In this popup please tick all two boxes and click on start
  • it will take time to finish and it might be create a scheduled to run this check disk in a next startup, then so please restart your computer (as per shown below screenshot)
How to Fix Temporary Profile in Windows 7 (2)
That’s it, Now restart your computer..Issue must be solved, you can able to login your profile.

Wednesday, March 05, 2014

Time Synchronization in Active Directory


Excuse me, do you have the time?  Well you better if you are a Active Directory administrator.  Next to DNS, time synchronization is one of the most important dependency of Active Directory.  By default, Active Directory will tolerate a plus or minus of five minutes between the clocks of your network.  If the time exceeds five minutes, clients will be unable to authenticate, and replication will not occur between domain controllers.
Since time is so vital, Active Directory implements a time synchronization system based on Network Time (NTP).  NTP ensures that every machine in the forest has a synchronized clock.  In addition, each Windows 2000 or newer machine uses the w32time service to implement synchronize of their clocks.
Below is a outline of how Time Synchronization works.
  1. The forest root domain PDC emulator synchronizes its clock with a reliable outside time source.
  2. Every child domain PDC emulator  synchronizes its clock with the PDC emulator of its parent domain.
  3. Each domain controller  synchronizes its clock with the PDC emulator of its domain.
  4. Each domain computer synchronizes its clock with the domain controller it authenticates
    to.

You shouldn’t need to configure the w32time service on any server other than your root domain PDC emulator.  From my experience, companies that elected to use a different time sync hierarchy then the one outlined above, later ended up suffering from Kerberos issues.  
Out in the field, I have also noticed when companies transfer the PDC emulator FSMO role to another server, they forget to reconfigure the w32time service. 
Reconfiguring your PDC emulator is fairly simple.  First find a dedicated (reliable) external time source.  In this example we will be using the NTP Pool Project.
First open up your command prompt. (Start>Run>CMD)
Next enter the following commands:
C:\> w32tm /config /manualpeerlist:"0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org" /syncfromflags:manual
C:\> w32tm /config /update
C:\> w32tm /resync

For more information about configuring your time source see the following articles.
http://support.microsoft.com/kb/262680
http://support.microsoft.com/?id=816042
For troubleshooting time sync issues, the w32time service will log events to the System
event log. The w32tm /monitor and w32tm /stripchart /computer:TargetMachineName
commands are often useful for troubleshooting as well.

Explaining DNS Concepts - DNS Servers-DNS Queries-DNS Records

3 types of DNS queries— recursive, iterative, and non-recursive 3 types of DNS servers— DNS Resolver, DNS Root Server and Authoritative Name...