Windows Server 2003 Troubleshoot computer accounts

  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |

Troubleshoot computer accounts : The Active Directory snap-in can be used to assist you with computer account problems. Diagnose and resolve issues related to computer accounts by using the Active Directory Users and Computers MMC snap-in Open the Active Directory Users and Computers console, drill down to the computer account you wish to troubleshoot and right-click on the computer. A shortcut menu, , will appear.

Troubleshooting a Computer Account using the Active Directory Users and Computer console. As you can see from the menu you have options available to:

Disable Account - which would render it unusable, but keeps all rights, permissions and group memberships intact if you choose to re-enable it at a later date.

Reset Account - For each workstation or server that is a member of a domain, there is a secure channel with a domain controller. The secure channel's password is stored along with the computer account on all domain controllers. If, for some reason, the computer account's password and the LSA secret are not synchronized, the Netlogon service will log an error. It is then that the computer account must be reset.

Move - Move the account to another location, for example, a different OU container.
All Tasks - Allows you to do the Disable Account, Reset Account, Move, Manage as well as run the Resultant Set of Policy on the computer,

Resultant Set of Policy - Can be used to troubleshoot Group Policy problems on an account.

A disabled account will appear, To re-enable a computer account, just right-click the computer and select the Enable option

Re-enabling a computer account: After you have re-enabled the account, a dialog box will appear stating the computer account has been re-enabled.

The re-enabled computer account verification. The account will appear in the list of computer accounts and be accessible for use. Reset computer accounts Resetting a computer account is done in the same manner as disabling and re-enabling a computer account. Just open the Active Directory Users and Computers console and select the Computer Account you wish to reset. Right-click the computer account and select Reset. The dialog box will prompt you to make certain you wish to complete this procedure. Resetting a Computer Account using Active Directory Users and Computers.
Click Yes to reset the account.

Troubleshoot user accounts :User Account issues can be caused by a number of factors. The following section explains some of the issues and ways to diagnose and solve user account problems. Diagnose and resolve account lockouts. When a user's account is locked out, it is because it has breached the password policy implemented in Group Policy. When designing a password policy for a domain or OU, remember that you have to maintain a balance between the security needs of the network, and the administrative load on the personnel responsible for unlocking accounts that have breached the policy.
Creating a Password Policy for a Domain Administrators can create password policies to enforce restrictions on domain and member server passwords. In order to create Group Policy , the Group Policy Object Editor snap-in must first be added. This is done from within an MMC.

Open an MMC by clicking on Start | Run | MMC. When the MMC opens, select File from the menu, then select Add/Remove snap-in. Click Add to open the list of available snap-ins, and then choose Group Policy Object Editor. Click OK to confirm your selection.
Password Policy is located under Computer Configuration | Windows Settings | Security Settings | Account Policies.

The available settings for Password Policy are as follows:
Enforce Password History - determines the number of unique new passwords that have to be linked with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy allows administrators to increase security by guaranteeing that old passwords are not reused continually. The setting, by default, is 24 on domain controllers and 0 on stand-alone servers. As well, by default, member computers follow the configuration of their domain controllers.

Maximum Password Age - determines the period of time (in days) that a password can be used before the system forces the user to change it. Passwords can expire after a number of days set between 1 and 999. Specifying 0 will mean that passwords never expire. If the maximum password age is greater than 0, the minimum password age must be less than the specified maximum password age; however, if the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. Microsoft's security best practice is to have passwords expire every 30 to 90 days, depending on your environment. This way, an intruder has a limited amount of time in which to crack a password and have access to your network resources. The default setting is 42 days.

Minimum Password Age - determines the period of time (in days) that a password must be used before the user can change it. As mentioned above, a value can be chosen between 1 and 998 days, provided it is less than the Maximum Password Age (unless that setting is 0). Setting the minimum password age value to 0 allows the user to immediately change their password. Configure the minimum password age to be more than 0 if you want Enforce password history to be effective; without setting a minimum password age, users can cycle through passwords until they get back to the one that just expired. The default setting is 1 on domain controllers and 0 on stand-alone servers. Again, by default, member computers follow the configuration of their domain controllers.
Minimum Password Length - determines the least number of characters that a password for a user account may contain. A value of between 1 and 14 characters can be set. Setting the number to 0 means that no password is required. By default, this setting is 7 on domain controllers, and 0 on stand-alone servers. Again, member computers follow the domain controller configuration by default.

Passwords must meet complexity requirements - determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements:

Not contain all or any part of the user's account name
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %).

Complexity requirements are enforced when passwords are changed or created. By default, this setting is enabled on domain controllers and disabled on stand-alone servers. Careful planning should take place before implementing a password policy; however, once it has been in put into place, it should allow for a more controlled and secure domain. Educate end-users on the basics of password use and security. Some Account Password Policy troubleshooting scenarios are listed The password policy has been changed but it has not gone into effect. Click Start | Run | gpupdate | OK. The gpupdate command is used to refresh group policy settings.

Cannot login to Windows 95, Windows 98, and other passwords are not functioning. Is the password more than 14 characters Windows 95 and Windows 98 cannot recognize passwords over 14 characters. Change the password so it is less than 14 characters.
Cannot login to Windows 95, Windows 98, and other passwords are not functioning. The system you are logging into does not support unusual characters. Change the password.

Troubleshooting Account Password Policies: Some topics to remember when implementing security is to think through how your organization functions and how you can use these to assist you with implementing greater security with less administrative overhead.

Issue Cause Correction: Computer connects to computers with the incorrect access level or account. A user name and password was stored for this account that has either too much or too little access to resources. Delete the stored user name and password.

Computer has incorrect access when using a shared user account. The user account stored a user name and password for this resource. Delete the stored user name and password.
When I logon I cannot access resources that were currently available to me. Either a user name and/or a password which was stored for this account has expired or the password has been changed without updating stored information. Correct the stored user name and password. Issues, Causes and corrections for user account problems.

Passwords: Not enough can be written regarding password security. Some best recommended guidelines are listed below to help you implement strong passwords and account policies.

Explain to end-users how to protect their accounts, lock their desktops and turn off their computers when they are away. Put a policy in place and enforce it.
Force the use of strong passwords by setting up Group Policy.
Discourage "sticky note syndrome." Do not allow users to write their passwords down and post them on their monitors. If a password must be written down (for example, the enterprise administrator password), make sure it is stored in a very secure location.
Never share passwords with anyone.

Use different passwords for all user accounts.
Always remember to change passwords immediately if they may have been compromised.
The SysKey utility may be used throughout a network. This utility is used to enable strong password encryption techniques to secure account password information. The utility can be used by clicking on Start | Run | syskey. These are just a few common sense guidelines that Administrators can follow when education clients about the importance of passwords. 

Diagnose and resolve issues related to user account properties: Creating and managing users in Windows Server 2003 has changed very little from the methodology used in Windows 2000 Server. Accounts may be added using the Active Directory Users and Computer console or via the command prompt with a utility called dsadd. (Obviously, using this console means that you have Active Directory installed and properly running on the 2003 Server.) dsadd utility as well as the syntax to use with the command.

Pop Quiz Questions
1. How many characters can be used in a username
2. What can an administrator do using the "ldifde" command
3. Can an administrator delete an Active Directory object using the CSVDE command
4. What happens when you disable a user account
5. What happens when you reset a computer account

Pop Quiz Answers
1. Up to 20 characters, uppercase, lowercase or a combination of the two can be used in a username.
2. The ldifde command line utility allows Administrators to create, modify, and delete directory objects on Window Server 2003 and Windows XP Professional machines.
3. No, CSVDE can only be used to import and export from Active Directory, not to create or delete objects. You must use the ldifde command for those functions.
4. Disabling a user account renders it unusable, but keeps all rights, permissions and group memberships intact if you choose to re-enable it at a later date.
5. Resetting the computer account synchronizes the computer account's password with the LSA.

Jada Brock-Soldavini is author of book InsideScoop to Windows Server 2003 Certification Examination 70-290 Managing and Maintaining a Microsoft Windows ServerTM 2003 Environment. Jada works for the State of Georgia as a Network Services Administrator. She has co-authored or contributed to other numerous works pertaining to Microsoft Windows technologies. In her spare time she enjoys cooking, writing and reading anything that pertains to Network and Security technology. To buy my book, please visit

Rate this Article:
  • Article Word Count: 1820
  • |
  • Total Views: 4362
  • |
  • permalink
  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |