IT tutorials
 
Windows
 

Windows 7 : How to Troubleshoot Authentication Issues (part 1) - Identifying Logon Restrictions

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
1/2/2014 3:16:59 AM

Sometimes, users might experience problems authenticating to resources that have more complex causes than mistyping a password or leaving the Caps Lock key on. The sections that follow describe troubleshooting techniques that can help you better isolate authentication problems.

UAC Compatibility Problems

Users often confuse authentication and authorization issues. This isn't a surprise because both types of problems can show the exact same error message: "Access is denied." Because UAC limits the user's privileges and many applications were not designed to work with UAC, security errors are bound to be even more frequent in Windows Vista and Windows 7 than they were in Windows XP.

Most UAC-related problems are authorization-related, not authentication-related. If the user doesn't receive a UAC prompt at all but still receives a security error, it's definitely an authorization problem. If the user receives a UAC prompt and the user's credentials are accepted (or if the user logs on as an administrator and only needs to click Continue), it's definitely an authorization problem. UAC problems are authentication-related only if UAC prompts a user for credentials and rejects the user's password.

1. Identifying Logon Restrictions

Often, authentication problems occur because administrators have configured logon restrictions to enforce the organization's security requirements. Logon restrictions include locking accounts after several incorrect attempts at typing a password, allowing users to log on only during specific hours, requiring users to change their passwords regularly, disabling accounts, and accounts that expire on a specific date. The sections that follow describe each of these types of logon restrictions.

Note

DETERMINING LOGON CONTEXT

Users can authenticate to the local user database or an AD DS domain. Logon restrictions defined for the domain only apply to domain accounts, and vice versa. Therefore, when examining logon restrictions for users, you must determine their logon context.

The quickest way to do this is to open a command prompt and run the command set to display all environment variables. Then, look for the USERDOMAIN line. If the user logged on with a local user account, this will be the computer name (shown on the COMPUTERNAME line). If the user logged on with an AD DS user account, this will be the name of the domain. You can also check the LOGONSERVER line to determine whether a domain controller or the local computer authenticated the user.

Account Lockout

If a user provides incorrect credentials several times in a row (for example, if an attacker is attempting to guess a user's password, or if a user repeatedly mistypes a password), Windows can block all authentication attempts for a specific amount of time.

Account lockout settings are defined by Group Policy settings in the Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies\node as follows:

  • The number of incorrect attempts is defined by the Account Lockout Threshold setting.

  • The time that the number of attempts must occur within is defined by the Reset Account Lockout Counter After policy.

  • The time that the account is locked out is defined by the Account Lockout Duration policy.

Use the Resultant Set Of Policy tool (Rsop.msc) to identify a computer's effective Group Policy settings. To use the Resultant Set Of Policy tool, follow these steps:

  1. Click Start, type rsop.msc, and press Enter.

  2. In the Resultant Set Of Policy window, within the Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies node.

  3. The Details pane shows only the account lockout policy settings that have been defined, and which Group Policy object defined them.

If a user receives an error message indicating that her account is locked out, or she cannot log in even if she thinks she has typed her password correctly, you should validate the user's identity and then unlock the user's account. To unlock a user's account, view the user's Properties dialog box, and clear the Account Is Locked Out check box (for local Windows 7 user accounts) or the Unlock Account check box (for Windows Server 2008 R2 AD DS accounts), as shown in Figure 1. Then, click Apply.

You can identify locked out accounts by examining logon audit failures in the domain controller's Security event log with Event ID 4625.

Logon Hour Restrictions

Administrators can also use the Account tab of an AD DS user's properties to restrict logon hours. This is useful when administrators do not want a user to log on outside his normal working hours.

If a user attempts to log on outside his allowed hours, Windows 7 displays the error message "Your account has time restrictions that prevent you from logging on at this time. Please try again later." The only way to resolve this problem is to adjust the user's logon hours by clicking the Logon Hours button on the Account tab of the user's Properties dialog box. Figure 2 shows a user who is allowed to log on between the hours of 10 and 6, Monday through Friday.

Windows Server 2008 R2 changes the label of the Unlock Account check box if an account is locked out.

Figure 1. Windows Server 2008 R2 changes the label of the Unlock Account check box if an account is locked out.

Logon hours restrict users from logging on during specific times of the day during the week.

Figure 2. Logon hours restrict users from logging on during specific times of the day during the week.

Password Expiration

Most security experts agree that users should be required to change their passwords regularly. Changing user passwords accomplishes two things:

  • If attackers are attempting to guess a password, it forces them to restart their efforts. If users never change their passwords, attackers would be able to guess them eventually.

  • If an attacker has guessed a user's password, changing the password prevents the attacker from using these credentials in the future.

Password expiration settings are defined by Group Policy settings in the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy node as follows:

  • The time before a password expires is defined by the Maximum Password Age policy.

  • The number of different passwords that users must have before they can reuse a password is defined by the Enforce Password History policy.

  • The time before users can change their password again is defined by the Minimum Password Age policy. When combined with the Enforce Password History policy, this can prevent users from changing their password back to a previous password.

If users attempt to log on interactively to a computer and their password has expired, Windows prompts them to change their password automatically. If users attempt to access a shared folder, printer, Web site, or other resource using an expired password, they will simply be denied access. Therefore, if a user calls and complains that she cannot connect to a resource, you should verify that the user's password has not expired. You can prevent specific accounts from expiring by selecting the Password Never Expires check box on the Account tab of the user's Properties dialog box.

Disabled Account

Administrators can disable user accounts to prevent a user from logging on. This is useful if a user is going on vacation and you know she won't be logging on for a period of time, or if a user's account is compromised and IT needs the user to contact them before logging on.

To enable a user's disabled account, clear the Account Is Disabled check box in the user's Properties dialog box.

Account Expiration

In AD DS domains, accounts can be configured to expire. This is useful for users who will be working with an organization for only a limited amount of time. For example, if a contract employee has a two-week contract, domain administrators might set an account expiration date of two weeks in the future.

To resolve an expired account, edit the account's properties, select the Account tab, and set the Account Expires value to a date in the future. If the account should never expire, you can set the value to Never.

 
Others
 
- Windows 7 : Authenticating Users - How to Use Credential Manager
- Windows 7 : Changing the Default Connection, Managing Multiple Internet Connections
- Windows 7 : Configuring a High-Speed Connection (part 2) - Setting Up a Fixed IP Address
- Windows 7 : Configuring a High-Speed Connection (part 1) - Configuring a PPPoE Broadband Connection, Setting Up Dynamic IP Addressing
- Windows 7 : Installing a Network Adapter for Broadband Service
- Windows Server 2008 : Understanding Group Policy Settings (part 2) - Deploying Applications
- Windows Server 2008 : Understanding Group Policy Settings (part 1) - Enabling Auditing Through Group Policy
- Windows Server 2008 : Filtering GPOs by Modifying Permissions
- Windows Server 2008 : Launching the Group Policy Management Console, Understanding Group Policy Order of Precedence
- Windows Server 2008 : Creating and Running a PowerShell Script - Scheduling PowerShell Scripts
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
Facebook
 
Technology FAQ
- IIS Web site works in all browsers except Safari on Mac
- notification
- alternative current in to a pc
- parse url in JavaScript
- Dual WAN on a Fortigate 60
- Should Sys Admins (Domain Admins) also have user accounts?
- DR solution for data warehouse
- C# Creating Plugins
- SCCM 2007 collection by OU not showing all pc's
- Email account got spoofed?
programming4us programming4us