Sometimes, users might experience problems authenticating to
resources that have more complex causes than mistyping a password or
leaving the Caps Lock key on. The sections that follow describe
troubleshooting techniques that can help you better isolate
authentication problems.
1. Identifying Logon Restrictions
Often, authentication problems occur because administrators
have configured logon restrictions to enforce the organization's
security requirements. Logon restrictions include locking accounts
after several incorrect attempts at typing a password, allowing
users to log on only during specific hours, requiring users to
change their passwords regularly, disabling accounts, and accounts
that expire on a specific date. The sections that follow describe
each of these types of logon restrictions.
Note
DETERMINING LOGON
CONTEXT
Users can authenticate to the local
user database or an AD DS domain. Logon restrictions defined for
the domain only apply to domain accounts, and vice versa.
Therefore, when examining logon restrictions for users, you must
determine their logon context.
The quickest way to do this is to open
a command prompt and run the command set to display
all environment variables. Then, look for the USERDOMAIN line. If
the user logged on with a local user account, this will be the
computer name (shown on the COMPUTERNAME line). If the user logged
on with an AD DS user account, this will be the name of the
domain. You can also check the LOGONSERVER line to determine
whether a domain controller or the local computer authenticated
the user.
If a user provides incorrect credentials several times in a
row (for example, if an attacker is attempting to guess a user's
password, or if a user repeatedly mistypes a password), Windows
can block all authentication attempts for a specific amount of
time.
Account lockout settings are defined by Group Policy
settings in the Computer Configuration\Windows Settings\Security
Settings\Account Policies\Account Lockout Policies\node as
follows:
-
The number of incorrect attempts is defined by the
Account Lockout Threshold setting.
-
The time that the number of attempts must occur within
is defined by the Reset Account Lockout Counter After
policy.
-
The time that the account is locked out is defined by
the Account Lockout Duration policy.
Use the Resultant Set Of Policy tool (Rsop.msc) to identify
a computer's effective Group Policy settings. To use the Resultant
Set Of Policy tool, follow these steps:
-
Click Start, type rsop.msc, and press Enter.
-
In the Resultant Set Of Policy window, within the
Computer Configuration\Windows Settings\Security
Settings\Account Policies\Account Lockout Policies node.
-
The Details pane shows only the account lockout policy
settings that have been defined, and which Group Policy object
defined them.
If a user receives an error message indicating that her
account is locked out, or she cannot log in even if she thinks she
has typed her password correctly, you should validate the user's
identity and then unlock the user's account. To unlock a user's
account, view the user's Properties dialog box, and clear the
Account Is Locked Out check box (for local Windows 7 user
accounts) or the Unlock Account check box (for Windows Server 2008
R2 AD DS accounts), as shown in Figure 1. Then, click
Apply.
You can identify locked out accounts by examining logon audit failures in the domain controller's
Security event log with Event ID 4625.
Administrators can also use the Account tab of an AD DS
user's properties to restrict logon hours. This is useful when
administrators do not want a user to log on outside his normal
working hours.
If a user attempts to log on outside his allowed hours,
Windows 7 displays the error message "Your account has time
restrictions that prevent you from logging on at this time. Please
try again later." The only way to resolve this problem is to
adjust the user's logon hours by clicking the Logon Hours button
on the Account tab of the user's Properties dialog box. Figure 2 shows a user
who is allowed to log on between the hours of 10 and 6, Monday
through Friday.
Most security experts agree that users should be required to
change their passwords regularly. Changing user passwords
accomplishes two things:
-
If attackers are attempting to guess a password, it
forces them to restart their efforts. If users never change
their passwords, attackers would be able to guess them
eventually.
-
If an attacker has guessed a user's password, changing
the password prevents the attacker from using these
credentials in the future.
Password expiration settings are defined by Group
Policy settings in the Computer Configuration\Windows
Settings\Security Settings\Account Policies\Password Policy node
as follows:
-
The time before a password expires is defined by the
Maximum Password Age policy.
-
The number of different passwords that users must have
before they can reuse a password is defined by the Enforce
Password History policy.
-
The time before users can change their password again is
defined by the Minimum Password Age policy. When combined with
the Enforce Password History policy, this can prevent users
from changing their password back to a previous
password.
If users attempt to log on interactively to a computer and
their password has expired, Windows prompts them to change their
password automatically. If users attempt to access a shared
folder, printer, Web site, or other resource using an expired
password, they will simply be denied access. Therefore, if a user
calls and complains that she cannot connect to a resource, you
should verify that the user's password has not expired. You can
prevent specific accounts from expiring by selecting the Password
Never Expires check box on the Account tab of the user's
Properties dialog box.
Administrators can disable user accounts to prevent a user
from logging on. This is useful if a user is going on vacation and
you know she won't be logging on for a period of time, or if a
user's account is compromised and IT needs the user to contact
them before logging on.
To enable a user's disabled account, clear the Account Is
Disabled check box in the user's Properties dialog box.
In AD DS domains, accounts can be configured to expire. This
is useful for users who will be working with an organization for
only a limited amount of time. For example, if a contract employee
has a two-week contract, domain administrators might set an
account expiration date of two weeks in the future.
To resolve an expired account, edit the account's
properties, select the Account tab, and set the Account Expires
value to a date in the future. If the account should never expire,
you can set the value to Never.
