|
Posted by Lanwench [MVP - Exchange] on January 8, 2007, 8:40 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Hello group,
>
> I have an interesting issue. There are several Windows XP desktop
> machines along with Windows 2003 Terminal Servers, in one domain. The
> Terminal Servers have roaming profiles configured.
>
> Users, when prompted at the desktop, change their passwords every
> 90-days. They then logon to their machines and establish RDP sessions.
> The Terminal Servers log the users on using the new passwords.
> However, the users' accounts are then promptly locked out. If the
> account is unlocked, it is locked out again the next time the user
> logs onto a Terminal Server. This continues until I reboot the server.
>
> Checking the logs, I see that logging into Terminal Servers results in
> several Account Logon failures (Event ID 680). The first two are
> because of an incorrect password (0xC000006A) and then ten or more
> account lockouts (0xC0000234). These all occur after the user has
> successfully logged on but before the user profile completely loads.
>
> Any suggestions appreciated.
>
> J Wolfgang Goerlich
You might try posting this in m.p.windows.terminal_services - this group
deals with security issues. In fact, try crossposting it to an Active
Directory group as well.
That said - if you're using roaming profiles, you also need to set Terminal
Services profile paths for your TS users (use a different path - e.g.,
\fileserver\tsprofiles$\%username%). Don't mix 'n match.
Also - if you're going to use account lockout, set it to something REALLY
high - like 100. I don't enable it at all, personally.
| 
XML site map