Anyone who has ever worked in a IT helpdesk environment will know that probably 50% + of calls are related in some way or another to the user getting there password wrong, and locking out there account. No mater how much you educate the users, this will always happen, especially if you enforce a complex password policy (and i hope you do!)

I have seen on the odd occasion where thre is something more at work. The user could be happily logging on in the morning, working for a bit when suddenly there account is getting locked out, and as far as you (and they) can tell everything should be fine. You can unlock the account, they carry on working for a bit but then it happens again. There are a few things it could be:

• Someone is trying to use that users account, doesn’t know there password and so keeps locking it. This could be malicious or another reason
• The user has logged onto another machine, and not logged off. Then, if the user has changed their password while the other machine is logged in, it could be requesting resources using the old (and now incorrect) password. Every time it tries to get a network resource that requires authentication it will cause a bad password attempt
• Similar to the above, but the user is logged into a terminal server session an not logged out. For none console sessions on terminal servers users have access to, its always a good idea to enforce an automatic log off after a period of inactivity
• The user could have a connection to a network resource (such as a mapped drive) , that is using old credentials. Personally i’ve never seen this on XP, but it did see it on Win95/98

So, we know what can go wrong, but how the hell do we find out what machine the account lockout is occurring on?

For a start there are a couple of tools available from Microsoft, probably the most useful one is LockOutStatus.exe. This app lets you put a user name in, and will show you all the domain controllers in your active directory domain.

Against each DC, it tells you the lockout status of the account, the Site the DC is in, the bad password count, the lockout time etc. This information might be useful in tracking down the site where the lock is originating.

However, it still doesn’t narrow you down to a specific machine where the lock is coming from. In order to find that out you are going to have to use the Security Event logs on the domain controllers.

Turning on Failed Login Attempts Event Logging

The first thing you need to do is alter your domain policy to make sure you are logging failed login attempts into the security event log. You can do this at the local server level but by far the easiest way is to edit you default domain policy. Find your default domain policy, and edit it. You need to make sure the following settings under the computer config are turned on:

Once you have set these, give it half an hour or so to replicate round your domain, and you DC’s should start logging the account logon events. If you look in the security log, you should be able to see events like this:

Now, some of these events (such as event ID 680) will contain a section containing the work station. Now we are getting somewhere. The event that shows you a lockout will look something like this:

Feb 7 12:15:19 DC-SVR1.Dom MSWinEventLog<009>1<009>Security<009>4523690<009>Thu Feb 07 12:15:19 2008<009>681<009>Security<009>SYSTEM<009>User<009>Failure Audit<009>DC-SVR1.Dom<009>Account Logon<009><009>The logon to account: joe.bloggs by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: USER-WRK1 failed. The error code was: 3221225578 <009>4518607

There are various events like this one. Here it is telling you that the user Joe.Bloggs failed to login from the machine USER-WRK1.
This is giving you some information, but its not telling you where the INITIAL lock out occurred. For this you need to find the events with the ID of 644. This should give you information of the initial account lockout, and look something like this:

Feb 7 14:01:48 DC-SVR1.Dom MSWinEventLog<009>2<009>Security<009>2574908<009>Thu Feb 07 14:01:45 2008<009>644<009>Security<009>Everyone<009>Well Known Group<009>Success Audit<009>DC-SVR1<009>Account Management<009><009>User Account Locked Out: Target Account Name: Joe.Bloggs Target Account ID: %{S-1-1-00-1111111111-2222222222-333333333-4567} Caller Machine Name: USER-WRK2 Caller User Name: DC-SVR1 Caller Domain: DOM Caller Logon ID: (0×0,0×000) <009>2574304

This event now tell you the username, the machine it was locked out on and the DC that created the lockout.

Querying the Events

The problem you are going to have now, is finding the entry’s in the security log. There will probably be 1000′s of access requests against all your Domain controller’s in a single day, so finding the particular entry that you want can be a bit of a nightmare.

In a couple of articles in the past I have written about the use of a syslog server, this is another area where it can be useful. Using a syslog server and agents (such as snare) on the domain controller’s, you can send all the events from each server into one central place.

One of the best syslog servers to use is the Kiwi syslog daemon available at kiwisyslog.com. Even though it is freeware, it is a very powerful tool, it allows you to send the data you have collected to various sources (text files, database etc) , setup housekeeping on your data etc. A full feature list can be found at on there website here.

Once of the easiest ways to search your security event logs is to get the Kiwi syslog to insert the information into an ODBC database such as MySql. Using the Kiwi syslog, you can specify specific data to go to a specific place using rules and filters.

Create yourself an ODBC connection to a database where you want the data to live, then go into the syslog setup and create yourself a new rule called something like ‘account lockouts’. Add a filter to this rule, on the message text that contains:

“3221225578″ or “3221225578″ or “3221225586″ or “3221226036″ or “Account locked out”

This should catch any of the account lockout events. You then need to create a new action to add the data the database. Just fill in the details similar to the following screen shot:

Now, all your account lockout events will be getting added to this table. You can then write custom queries/reports to get the information out of this database, and finally find where that account lock out is occurring!

When you think about it, most there money comes from selling operating systems and Office products. Now, browsers are becoming more and more the platform of choice to write applications on. it makes sense really.

The app will run on any device with a net connection (including phones, pda’s etc), you can almost guarantee it will work, there is no need for the user to install software, updates are easy to roll out, ease of distribution, the list go’s on and on.

While as it stands there aren’t to many office based application that can challenge the MS office in the features category, there are certainly very capable alternatives out there, the main one being Googles offering, Google docs (http://docs.google.com/). All the documents are saved online, so you can give other people access to them and wherever you are in the World you will always have access to your data.

One of the only downfalls of online applications is when you lose your net connection. We’ll Google have even come up with a way of getting round that. It’s called gears ( http://gears.google.com/).

I dont personally know all that much about it, its a framework that will allow you to build web based applications that will also work of line. At the moment the only apps I have seen that use it are Google ones, but i’m sure more will be popping up.

So, are the mighty Microsoft doing anything of there own like this. Well, a bit. They have bought a stake in the social networking site Facebook (http://www.facebook.com/).

One of the cool features of Facebook is the fact that you can create applications using there framework, and post them to the community. As the Facebook community is absolutely massive (according to compete.com 14 million used applications in Facebook in August) your application will get a lot of exposure.

On the back of this Microsoft has added support via a developer kit into its Visual web Developer product (http://www.microsoft.com/express/samples/facebook/default.aspx). The thing I find funny about this is when you look at the Facebook developer documentation it’s language of choice is PHP. Will this be changing to dotnet now Microsoft have got there claws into it?

So, are Microsoft trying to embrace the internet as its development platform of the future, or sticking to there so far successful business model of traditional desktop software. I’m sure we’ll find out over the next few years.

And just out of interest, while we are talking about browsers, this is a breakdown of what browsers people visiting this site have been using over the last month:

While using this site as a test bed may not be the fairest judge of what people are using (most visitors will be more aware of what browser they run than normal users) , it does still indicate that no matter how much the other company’s push there alternatives, the Browser of choice is Internet Explorer.

There is no mention of new features or anything yet, but keep checking back as i’m sure they will post the latest info there first.

We have a problem using DTP packages over a terminal server connection, when moving pictures around pages it takes about half a second or so to respond, some of the documentation from Microsoft says there have been quite a few improvements, so we decided to check them out.

The first hurdle was installing it! The installer is for DVD, and most of the boxes we could install it on to test didn’t have a DVD drive. We tried installing it as a virtual machine on a VMWare server, but it would not go onto here at all.

In the end we had to pull a DVD reader out of another machine, and load it using this. Does this mean in future servers are going to have to ship with DVD readers as standard if Microsoft is going to be shipping its server OS’s on DVD?

Anyway, we finally managed to load up the server, and after a bit of head scratching managed to join it to our domain. Hunting round the config screens we managed to find how to install it as a terminal server, so we could start doing our testing.

The documentation Mr Gates and Co. said that there was now a feature where a user could run an application on the terminal sever as if it was on there desktop. We weren’t sure how this was going to work, but it sounded like a good idea, we found where it was configured and added wordpad as an application to run in this way. There was a wizard to run that created the connection to the application so I ran that, and it generated me a .rdp file, witch i wasn’t really expecting it to do.

Still full of hope and optimism, I copied the .rdp file to my desktop and ran it, expecting something cool to happen. I logged into the terminal server, and all that happened was wordpad ran up as soon as I logged in. That was it. When I closed wordpad the terminal server connection closed its’ self. Now, maybe I was expecting something a bit special, but I cant see that solving anyone’s problems!

I had a look at how this amazing leap forward in thin client architecture was accomplished, and found in the .rdp file the wizard had created, all it was doing was launching the app on start up, as illustrated here

Windows Server 2008 introduces new functionality in Terminal Services to connect to remote computers and applications. Terminal Services RemoteApp completely integrates applications running on a terminal server with users’ desktops such that they behave as if they were running on an individual user’s local computer; users can run programs from a remote location side-by-side with their local programs

We continued doing some more testing by installing QuarkXpress on the server, and seeing if there were any noticeable improvements to the picture handling, but there appeared to be very little difference between this version and what 2003 does. Maybe its time to start looking at Citrix.

Anything else interesting I find on 2008 server ill blog about here

The second problem I had was with one of my web based applications, and (I think) the patches that came out in January. Its an ASP.Net app written in VB.net. It uses the impersonation function so all users run as one user. This is done due it the application needing lots of file system access across Windows and Linux platforms.

Anyway, I installed the patches and all of a sudden the application could no longer see any remote unc paths. Every time it checked to make sure the unc was valid it failed, and took the path offline! As soon as I un-installed the batch of patches it started working again.
If anyone else has had this problem and sussed out what it is, let me know.

On another note, i’ve seen a lot about on the web about hacking PSP (Playstaion portable) consoles lately, and the on going battle between the hackers and Sony. Quite a good BBC artical about it is http://news.bbc.co.uk/1/hi/technology/6397797.stm

So for I’ve not tried ‘downgrading’ my PSP, cos if it goes wrong you can end up turning it into an expensive looking brick. I am very tempted to give it a go though. Does anyone know if what the hackers are doing is legal?

Got a new 80gig drive for my laptop today. Over the next few days i’m going to blow it away and get it duel booting between Windows XP and Linux. If I find out anything interesting ill post it here.

Listening To: New album by the Kaiser Chiefs. Can’t make my mind up about it yet.

The installation source is invalid

As far as I could see I had given the computer NTFS rights into the share where the software was located, and everyone had read access to the share.

While trying to install the Dell open manage client software today I worked out what it was. Our Active directory is based on Windows 2000 servers, but the unc share the software was located on was a Windows2003 server. I moved the installation source to a windows 2000 server, gave the Domain Computers group access to the files and it worked!

Not entirely sure what caused the problem in the first place, there must be some incompatibility between the 2 operating systems way of working with the NTFS permissions.

So I managed to get the software on, but I cant get the client pc’s to report properly to the Dell open manage IT assistant, without lots of manual intervention on the pc’s.
You need to create a new domain user and run the IAP service as this users so the client will report. If anyone has done this already with some sort of script, let me know how you did it.

Listening to: NoFx, Punk In Drublic

First of all, some machines (XPsp1, XPsp2, 2003 server) could not access the DFS root at all. They got a error message along the lines of:

‘Configuration information could not be read from the domain controller’

Then some machines could see the DFS root, but some of the shares where missing. I tried re-creating the shares but this had no effect.

I then rebooted the Domain controller that was the PDC emulator and that did nothing. There wasn’t anything suspect I could see in any of the FRS logs, so as a stab in the dark I restarted the DFS service (I didn’t even realise there was one!) on all the domain controllers in the domain, and it worked!
I have know idea why this happened and cant find anything online as to what caused it, so anyone with any ideas let me know.

Also installed MS Sharepoint 3.0 this week. Looks quite funky not really done much with it yet. If i find out anything that might be of interest ill post it here.

Oh, and check out the new Apple iPhone here www.apple.com/iphone I know some smart phones will do similar things already, but this does look mighty cool.

•First of all I needed a copy of Windows XP with service pack 2 on it, to use as my XP base image on the server. There’s quite a good web site about it here

Basicly you copy the contents of the XP cd to your hard disk, extract the sp2 download to your hard disk (xpsp2.exe -x:c:\sp2), then run the update app in the i386\update folder of the extracted sp2 and point it to your original xp file. Then you’ll have a nice and up-to-date copy of Windows XP. Copy it onto cd or a server assessable by the new ris server

• Now just install the RIS service through the control panel/Add remove programs/Windows Components. Then you should get a Remote Install service under admin tools. Before running that you need to Authorize the RIS server on the domain. You do this (for some reason) using DHCP manager. See the Microsoft article here. Once you have authorized the server, run the new RIS setup application, point it at your new xp setup files and you should have the RIS server ready to go.

• The next thing we needed to do was not run the DHCP server on the same server as RIS, and get ris working across subnet’s. When we first installed ris I couldn’t find any way of doing this, but I have this time!

There are 2 scope options you can set in DHCP:
066 – Boot Server Host Name (Basicly the TFTP server the client will use)
067 – Boot File name (the file to use on the server to boot the PC)

Set the boot server host name option to be the IP address of the ris sever (give the server a static address) , and set the boot file name to be OSChooser\i386\startrom.com

Add these options to each DHCP subnet you want to use this RIS server on and the PXE clients should be able to find the RIS server and its boot file.

• Now one of the most tricky parts. Adding 3rd party drivers to the base image so that a) the basic RIS setup program will run, and b) the Windows XP setup will run.
We did most of the hard work with this when we setup the old RIS server. The best article I found on it is here. This article basicly says copy certain driver files to certain parts of the folder structure, and update your .sif file to look for the files in these location. When we did this originally we had to manually hack the drivers inf files to get them working on Dell GX270′s and 280′s but I don?t think that’s required anymore. If you need the drivers email me and I can send you them.

• At this point you should be able to now boot your client pc, and it should pick up the ris server and boot from it (as long as you have setup the DHCP options for the subnet your client is in).
Before doing this I copied in the existing ripref.sif file from the old server, as this contained all the options about joining the domain, the product key ect. Its probably worth sorting this file out before doing an install or the install will ask you questions and it still wont be unattended There are various sources on the web that will tell you about the settings, or use can use the RIPrep wizard, as described here

• Something that I never came across on the Windows2000 RIS was it failing to join a domain (if you set that option in the .sif file) If this happens you might have to run the delegate control wizard at the root of your domain in active directory users and computers. Just add the domain admin’s and any other groups that will be RISing, and make sure they have the ability to add computer accounts to the domain.

• The final problem I came across was when I pushed an image back to the server. It went back no problems, so I copied into the templates folder of the new image what i thought was a good .sif file.
When I then tried to use the new image, i kept getting an error saying
‘txtsetup.sif is missing or corrupt. Error 21′
I had a look around for this error and it turned out the problem was with the .sif file I had copied in. There were some new options in the [OSChooser] section, that the image needed to find the original mirror. So I re-created my new image, and instead of copying the good .sif file over the one it created, I just added all the sections I needed to this one.

That was it, took me a few days to get it working correctly but its definitely worth it in the long run, when you have 150 machines to setup!