Terminal Server with Roaming Profile Locks Accounts

Discussion in 'Security Software' started by jwgoerlich, Jan 3, 2007.

  1. jwgoerlich

    jwgoerlich Guest

    Hello group,

    I have an interesting issue. There are several Windows XP desktop
    machines along with Windows 2003 Terminal Servers, in one domain. The
    Terminal Servers have roaming profiles configured.

    Users, when prompted at the desktop, change their passwords every
    90-days. They then logon to their machines and establish RDP sessions.
    The Terminal Servers log the users on using the new passwords. However,
    the users' accounts are then promptly locked out. If the account is
    unlocked, it is locked out again the next time the user logs onto a
    Terminal Server. This continues until I reboot the server.

    Checking the logs, I see that logging into Terminal Servers results in
    several Account Logon failures (Event ID 680). The first two are
    because of an incorrect password (0xC000006A) and then ten or more
    account lockouts (0xC0000234). These all occur after the user has
    successfully logged on but before the user profile completely loads.

    Any suggestions appreciated.

    J Wolfgang Goerlich
     
    jwgoerlich, Jan 3, 2007
    #1
    1. Advertisements

  2. In
    You might try posting this in m.p.windows.terminal_services - this group
    deals with security issues. In fact, try crossposting it to an Active
    Directory group as well.

    That said - if you're using roaming profiles, you also need to set Terminal
    Services profile paths for your TS users (use a different path - e.g.,
    \\fileserver\tsprofiles$\%username%). Don't mix 'n match.

    Also - if you're going to use account lockout, set it to something REALLY
    high - like 100. I don't enable it at all, personally.
     
    Lanwench [MVP - Exchange], Jan 9, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.