dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
11070
avze
join:2013-08-19

4 edits

avze

Member

[WIN7] ***URGENT*** Issue with Admin Account Locking Out!

I am running as an Admin account on Win7 (I know for security reasons) its not practical, but I must so since I am always doing maintenances/updates/patches/development and etc.... on my machine and I have to... But anyways, I stumbled across this really strange issue.
Whenever I access the User Accounts from the Control Panel, three times, my Account locks out!!!! all the time.

I did numerous testing on this.
First, I opened up User Accounts one time. My Account was not locked out.
Then tried two. No lockout. Then three. And my Account was locked.
Now luckily, since I am using the PC as an Admin, I was able to unlock my account.
And plus, I keep a Win7 OS image handy.
My number of bad password attempts settings under Local Security Policy are set to 3 attempts after it locks out.
I am NOT under any Domain. Just a standalone machine.
I am behind a router/firewall, using locked down Win7 settings.
Does anyone have any clues why my Account keeps locking out after accessing the User Accounts control console 3 times???

And, I tested this also on my notebook, still the same happening. Account lockes account after opening the User Accounts console 3 or more times.
And I don't have to to change any settings in there, It even locks out just by opening the User Account icon under the Control Panel.

I will keep on testing this. The notebook has the same Local Security Policy settings to lock out account after 3 bad or failed password attempts.

Very weird!!!!!!

****EDIT**** >>>>>> More testing under the Control Panel. I tried opening other tools from the Control Panel like Power Options, Flash, Java 3 times randomly, then checked my User Account, and no lock outs. So it seems it only just does this when only accessing the USER ACCOUNT tool more times....

****UPDATE**** On my notebook, I disabled the Account Lock Out policy setting. Then I opened the User Accounts again numerous times. No lock outs.
Then changed it back to 3 bad password attempts. Opened User Accounts again numerous times. Account was locked out.

But can someone tell me why would a setting of Account Lockout Policy would or can effect opening the User Accounts icon from the Control Panel???

This really "baffles" me. I would like to know why please.
Because what if for some reason by any chance I would open up the User Accounts panel many times under ONE Windows logon session, and then catches me by surprise that my user account was locked out, and therefore I had to reimage my PC.

Now, I would like to ask if someone can try this out by going into the Local Security Policy editor and set Account Lockout policy to 3 failed bad attempts. Then after that, try opening the User Accounts panel from the Control Panel 3 times and then check your local user account. But make sure you do this with an Admin account so you can unlock yourselfs

I did a search on this BTW - But in my case, I did NOT even do anything in the User Accounts. I just opened it and my account locked out....
Will just have to use the MMC for managing the User Accounts from there instead of from the Control Panel, until someone has a fix for this. Most likely, this is a flaw, but not sure though, just a wild guess.

»social.technet.microsoft ··· ogeneral

dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

Well, to state the obvious: your account is getting locked out because you have a policy that specifies it must get locked out after 3 failed-login attempts.

The question is then, why does accessing the User Accounts applet cause a failed-login?

I'm not in a position to try this at the moment; I will try and do so later. Meanwhile, though, you might look in the system 'security' event log (right-click on Computer, Manage, Event Viewer, Windows Logs, Security) for failed-login events.
psloss
Premium Member
join:2002-02-24

psloss to avze

Premium Member

to avze
I went with a Win7 Pro SP1 x64 VM and saw the same thing. When making the account lockout policy the first change, the standard GUI wanted to set the time thresholds to 30 minutes each, which was fine for this throwaway test.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

Then it's likely an unintended interaction. Hypothesis: the User Accounts applet needs to determine whether you have the necessary access in the current context, and it determines that by trying to get access; when it fails, it then does the elevation thing. Meanwhile, the lockout policy cannot know the failure wasn't "really" a failed-password attempt.
avze
join:2013-08-19

avze

Member

Is this by design when these policies are set in the Local Security Policy setting?
Or is this a "flaw" in Win7?

But I am still baffled is to why this has anything to do with the User Accounts applet.

There are two things I can do (or we), is by accessing or managing the User Accounts via MMC or second, not to open the User Accounts applet via the Control Panel numerous times (in my case, more than 3 times) under ONE Windows logon session...

Boy!!!!!! Its great to have a backup OS image....This saved me a lot of time...As I was locked out.

I did a search on this, but the link above which I posted is pretty much same issue, except that I have not even touched anything within the User Accounts applet.

I wish someone from MS would have more documentation about this.
psloss
Premium Member
join:2002-02-24

2 edits

psloss

Premium Member

Click for full size
said by avze:

Boy!!!!!! Its great to have a backup OS image....This saved me a lot of time...As I was locked out.

Unless you changed the values for the other settings, your account would not have been permanently locked out. As I posted, the default was 30 minutes.

(That Technet forums link has a post from a couple of weeks ago that has the outlines of what is going on.)
avze
join:2013-08-19

avze

Member

Mine is set until Admin unlocks it
Talk about really paranoid!!!! LOL
dave
Premium Member
join:2000-05-04
not in ohio

dave to psloss

Premium Member

to psloss
Same here.
dave

dave to avze

Premium Member

to avze

There are two things I can do (...)

Well, there is a third thing: don't have such a draconian account lockout policy.

The trouble with an account lockout policy is that it is a deliberately-erected denial of service vulnerability against yourself. You're presumably worried about a bad guy getting into your computer. Well, all the bad guy has to do is to *try* and get into your computer three times... and then you are locked out of your own PC. Which for some bad guys might be just as much fun as if they actually succeeded in getting in.

If you have to have one at all, I'd suggest using a larger number and a smaller locked-out time.
Frodo
join:2006-05-05

Frodo to avze

Member

to avze
I would see if something in the event viewer pointed out the answer, perhaps under the security log.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus to dave

Premium Member

to dave
Yep, a glitchy keyboard, somebodies cat walking on the keyboard, or them not noticing the caps lock key could lockdown that os. Timeout policies can greatly throttle brute force. If they don't even employ disk encryption this is a moot point anyway.

Maybe they've been watching too many hollywood movies to think they need a three attempt limit, they think they have something they need to hide on their computer, or they're just ultra paranoid somebody might see their browser history.
psloss
Premium Member
join:2002-02-24

psloss to Frodo

Premium Member

to Frodo
said by Frodo:

I would see if something in the event viewer pointed out the answer, perhaps under the security log.

See the Technet forum link in the original post for that...

...but the bigger issue is as Dave noted: the rationale for a low lockout threshold. Even in domain environments it's discouraged, particularly as a 'setting in a vacuum':
»blogs.technet.com/b/abiz ··· ity.aspx

On a standalone machine, it's a bigger mystery.
Frodo
join:2006-05-05

Frodo

Member

This is my settings.



That, along with having 3 admin accounts works fine for me. Next time I get locked out will be the first time, aside from testing the policy.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus

Premium Member

I always have at least two administrator accounts active for the event one might get corrupted on the disk.
Frodo
join:2006-05-05

Frodo to avze

Member

to avze
said by avze:

Now, I would like to ask if someone can try this out by going into the Local Security Policy editor and set Account Lockout policy to 3 failed bad attempts. Then after that, try opening the User Accounts panel from the Control Panel 3 times and then check your local user account.

Well, I have mine set to 10 tries, so I opened the user panel 11 times, and then tried runas to see what would happen, and I see ....
RUNAS ERROR: Unable to run - cmd
1909: The referenced account is currently locked out and may not be logged on to
 

I didn't try to make any changes in that user panel, just simply opened it. So while I didn't duplicate your settings, my experience seems to confirm that there is some kind of issue going on here.

There is an event 4740 in event viewer, security log indicating that the ID is locked out, but can't tell why.
dave
Premium Member
join:2000-05-04
not in ohio

dave to avze

Premium Member

to avze
By the way, the easiest way to reset the lockout is

net user NAME /active:yes

in a (suitably privileged) cmd window.

workablob
join:2004-06-09
Houston, TX

workablob to avze

Member

to avze
If you can open Control Panel - User Accounts - Credential Manager then clear out any save credentials.

Blob
Frodo
join:2006-05-05

Frodo to avze

Member

to avze
I set up basic auditing and set the policy to audit failures in the category "Audit account logon events" and "Audit logon events".

Then I opened Control Panel and accessed "User Accounts" a couple of times. I didn't do anything once I was in User Accounts, just simply opened it up, and then closed it.

In the event viewer, security log I see two events logged for each access.
Event 4776:
The computer attempted to validate the credentials for an account.
 
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:TheUserId
Source Workstation:Computername
Error Code:0xc000006a
 
and Event 4625
An account failed to log on.
 
Subject:
Security ID:Computername\TheUserId
Account Name:TheUserId
Account Domain:Computername
Logon ID:0x2e105
 
Logon Type:2
 
Account For Which Logon Failed:
Security ID:NULL SID
Account Name:TheUserId
Account Domain:
 
Failure Information:
Failure Reason:Unknown user name or bad password.
Status:0xc000006d
Sub Status:0xc000006a
 
Process Information:
Caller Process ID:0x132c
Caller Process Name:C:\Windows\explorer.exe
 
Network Information:
Workstation Name:Computername
Source Network Address:-
Source Port:-
 
Detailed Authentication Information:
Logon Process:Advapi  
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:-
Package Name (NTLM only):-
Key Length:0
 
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
 
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
 
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
 
The Process Information fields indicate which account and process on the system requested the logon.
 
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
 
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
 
So it seems that a simple access of the Users Accounts panel counts as an invalid logon attempt for some reason. Probably, since I have my invalid attempts set at 10 before a lockout occurs, I manage to login successfully somewhere along the line before I hit the threshold.

No biggie for me, but I do think it's a bug. "TheUserId" and "Computername" were substituted for the actual user id and computer name