Page 1 of 2 12>
Topic Options
#26481 - 2002-08-05 03:30 PM Win98 Lock Outs
boshkov Offline
Fresh Scripter

Registered: 2002-08-05
Posts: 14
Loc: Michigan
Has anyone out there ever had or saw this problem. Once I implemented KIX, it appears that the Windows 98 systems get locked out quite a bit. If I reconfigure the users to use their old DOS scripts, they are no longer getting locked out. This is only happening to the win9x systems. Windows 2000 and NT are fine. This is an active directory domain.
Top
#26482 - 2002-08-05 08:55 PM Re: Win98 Lock Outs
MightyR1 Offline
MM club member
*****

Registered: 1999-09-09
Posts: 1264
Loc: The Netherlands
BoshKov,

please post your script and your environment (KiXver etc.)

It gives us more info about your problem...
_________________________
Greetz,
Patrick Rutten

- We'll either find a way or make one...
- Knowledge is power; knowing how to find it is more powerful...
- Problems don't exist; they are challenges...

Top
#26483 - 2002-08-05 09:01 PM Re: Win98 Lock Outs
boshkov Offline
Fresh Scripter

Registered: 2002-08-05
Posts: 14
Loc: Michigan
SETTIME "\\amt-fs1"

USE "*" /delete

IF INGROUP("AMT Phone Router")
? "Mapping AMT Phone Router Drive"
USE G: "\\amt_phone\c"
ENDIF

IF INGROUP("AMT Design")
? "Mapping AMT Design Drive"
USE H: "\\amt-irix-srv\design$"
ENDIF

IF INGROUP("AMT Payables")
? "Mapping AMT Payables Drive"
USE L: "\\Amt-fs1\payables6$"
ENDIF

IF INGROUP("AMT Project Database")
? "Mapping AMT Project Database Drive"
USE M: "\\Amt-fs1\PROJDB2$"
ENDIF

IF INGROUP("AMT Executive Staff")
? "Mapping AMT Executive Staff Drive"
USE N: "\\Amt-fs1\MANAGE$"
ENDIF

IF INGROUP("AMT Paint")
? "Mapping AMT Paint Drive"
USE R: "\\amt-irix-srv\amtpaint"
ENDIF

IF INGROUP("AMT Special")
? "Mapping AMT Special Drive"
USE S: "\\amt-irix-srv\amtsim"
ENDIF

IF INGROUP("AMT SALES")
? "Mapping AMT Sales Drive"
USE T: "\\Amt-fs1\SALE4$"
ENDIF

IF INGROUP("AMT Systems")
? "Mapping AMT Systems Drive"
USE X: "\\amt-irix-srv\systems$"
ENDIF

IF INGROUP("Track IT")
? "Mapping AMT Track IT Drive"
USE Y: "\\Amt-fs1\tiw4std"
ENDIF

IF (INGROUP("AMT General Admin") OR INGROUP("AMT SALES"))
? "Mapping AMT General Admin Drives"
USE J: "\\Amt-fs1\PADMIN3$"
USE K: "\\Amt-fs1\ADMIN1$"
ENDIF

IF INGROUP("AMT Group Leaders")
? "Mapping AMT Group Leaders Drives"
USE M: "\\Amt-fs1\PROJDB2$"
USE N: "\\Amt-fs1\MANAGE$"
ENDIF

IF INGROUP("AMT Human Resources")
? "Mapping AMT Human Resources Drives"
USE I: "\\Amt-fs1\HR5$"
USE R: "\\Amt-fs1\RECRUITING$"
ENDIF

? "Mapping General Drives"
USE P: "\\AMT-FS1\PUB"
USE Q: "\\INTRANET\QUALITY"
USE U: @HOMESHR

EXIT

I am using Kix Version 4.10

Top
#26484 - 2002-08-05 09:04 PM Re: Win98 Lock Outs
MightyR1 Offline
MM club member
*****

Registered: 1999-09-09
Posts: 1264
Loc: The Netherlands
Where does it go wrong?

Have you tried KiXStrip for debugging (home.wanadoo.nl/scripting)
_________________________
Greetz,
Patrick Rutten

- We'll either find a way or make one...
- Knowledge is power; knowing how to find it is more powerful...
- Problems don't exist; they are challenges...

Top
#26485 - 2002-08-05 09:10 PM Re: Win98 Lock Outs
boshkov Offline
Fresh Scripter

Registered: 2002-08-05
Posts: 14
Loc: Michigan
The script runs fine. Sometimes the script wont map various drives for WIN98 clients. It is not the same drive all the time. But the most annoying problem is after the drives are mapped, while the user is working, their account will just get locked out for no apparent reason. This all started once I implemented KIX. If I reconfigure the users account to run a regular DOS script other than the KIX script, he will not get locked out.
Top
#26486 - 2002-08-05 09:12 PM Re: Win98 Lock Outs
boshkov Offline
Fresh Scripter

Registered: 2002-08-05
Posts: 14
Loc: Michigan
I have not tried KIXStrip.
Top
#26487 - 2002-08-05 11:40 PM Re: Win98 Lock Outs
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
I am not sure if your U drive mapping will work especially if you are using standard shares generated by the user manager. For Win98 every user must be assigned a share. The user manager creates pseudo shares only mapable by NT or higher.

We run Win98 clients & the only time we have lock outs is if we get password problems with one of the students. It seems to me for lock out to happen implies that the server is responding to an error condition it is sensing, it is not the client system responding. Are you checking the server log to see why the server is locking out the user or machine?

As to random mapping of drives my thoughts are:

1) You may not have a compatible 4.10 version of kxrpc running on all PDC & BDC.
2) You may not have replication running on all PDC & BDC
3) Some of your systems may have old versions of kixtart DLLs on them.
4) Are you calling kixtart from a BAT file? You should.
5) Look at the kixtart log file on the problem client machines. Are you getting any error messages?
6) Try visiting MCA's site (you can get there but choosing "scripts" on the main page of this board. Try out is kixstrip & kixcheck utilities.
_________________________
Jack

Top
#26488 - 2002-08-05 11:41 PM Re: Win98 Lock Outs
MightyR1 Offline
MM club member
*****

Registered: 1999-09-09
Posts: 1264
Loc: The Netherlands
Strange thing indeed,

What does eventvwr say about locking the accounts? (if neccessary adjust Auditing settings).

I can't think of a reason why Kix should generate the problems...
_________________________
Greetz,
Patrick Rutten

- We'll either find a way or make one...
- Knowledge is power; knowing how to find it is more powerful...
- Problems don't exist; they are challenges...

Top
#26489 - 2002-08-06 12:02 AM Re: Win98 Lock Outs
Kdyer Offline
KiX Supporter
*****

Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
boshkov,

Some comments:
You will need to double-up on the $ for the hidden shares.

We also changed your nested INGROUP.

Running your code through KIXSTRIP, we see:

code:
 BREAK ON 
CLS
SETTIME "\\amt-fs1"

USE "*" /delete

IF INGROUP("AMT Phone Router")
? "Mapping AMT Phone Router Drive"
USE G: "\\amt_phone\c"
ENDIF

IF INGROUP("AMT Design")
? "Mapping AMT Design Drive"
USE H: "\\amt-irix-srv\design$$"
ENDIF

IF INGROUP("AMT Payables")
? "Mapping AMT Payables Drive"
USE L: "\\Amt-fs1\payables6$$"
ENDIF

IF INGROUP("AMT Project Database")
? "Mapping AMT Project Database Drive"
USE M: "\\Amt-fs1\PROJDB2$$"
ENDIF

IF INGROUP("AMT Executive Staff")
? "Mapping AMT Executive Staff Drive"
USE N: "\\Amt-fs1\MANAGE$$"
ENDIF

IF INGROUP("AMT Paint")
? "Mapping AMT Paint Drive"
USE R: "\\amt-irix-srv\amtpaint"
ENDIF

IF INGROUP("AMT Special")
? "Mapping AMT Special Drive"
USE S: "\\amt-irix-srv\amtsim"
ENDIF

IF INGROUP("AMT SALES")
? "Mapping AMT Sales Drive"
USE T: "\\Amt-fs1\SALE4$$"
ENDIF

IF INGROUP("AMT Systems")
? "Mapping AMT Systems Drive"
USE X: "\\amt-irix-srv\systems$$"
ENDIF

IF INGROUP("Track IT")
? "Mapping AMT Track IT Drive"
USE Y: "\\Amt-fs1\tiw4std"
ENDIF

IF INGROUP("AMT General Admin","AMT SALES")
? "Mapping AMT General Admin Drives"
USE J: "\\Amt-fs1\PADMIN3$$"
USE K: "\\Amt-fs1\ADMIN1$$"
ENDIF

IF INGROUP("AMT Group Leaders")
? "Mapping AMT Group Leaders Drives"
USE M: "\\Amt-fs1\PROJDB2$$"
USE N: "\\Amt-fs1\MANAGE$$"
ENDIF

IF INGROUP("AMT Human Resources")
? "Mapping AMT Human Resources Drives"
USE I: "\\Amt-fs1\HR5$$"
USE R: "\\Amt-fs1\RECRUITING$$"
ENDIF

? "Mapping General Drives"
USE P: "\\AMT-FS1\PUB"
USE Q: "\\INTRANET\QUALITY"
IF @homeshr <> ""
USE U: @homeshr
ENDIF

EXIT

HTH,

Kent
_________________________
Utilize these resources:
UDFs (Full List)
KiXtart FAQ & How to's

Top
#26490 - 2002-08-06 02:45 PM Re: Win98 Lock Outs
boshkov Offline
Fresh Scripter

Registered: 2002-08-05
Posts: 14
Loc: Michigan
I usually do not have a problem with the U: mapping. And i do not notice anything in the eventlog stating that there is an unsuccessful logon event. This is a Windows 2000 active directory domain replication is handled by default, especially to the PDC Emulator. I recently upgraded the version to 4.10 and KIX is being run on the netlogon share. I was getting an error message stating "Failed to locate/connect to KXRPC service." After I noticed that error message, I did install the KXRPC service on all the domain controllers. The problem still exists.

The hidden shares and the home directory map, but not all the time. Why did the statment for the hidden share need to be mapped with $$? And also, I am unsure as to what this statement does....I did not notice it in any documentation. I will try the new script though.

Thanks everyone for all your help..

B

Top
#26491 - 2002-08-06 03:03 PM Re: Win98 Lock Outs
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
The "$$" issue is no more in 4.1x. See the FAQ Topic: Why does the console display zeros and ones (amongst others)? for an explanation. Follow the link to ScriptLogic's thread as well.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#26492 - 2002-08-06 06:02 PM Re: Win98 Lock Outs
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
I usually get the failing to connect to kxrpc message if one of the BDCs do not have it running or it is running a version incompatible with the kixtart version that envoked it. Maybe you are getting some kind of timeout that prevents connection? Are the problem machines located in some kind of special environment?

We don't use AD so I don't know a lot about it but I have heard on several boards that it can be unstable with win9x clients. Of course, I have heard the opposite on other postings on this very board. Several postings have suggested that using the latest version of AD for Win9x is critical. There are several members on this board who use AD with Win9x, hopefully one of these might respond.

Final point, an account lockout is a server action. Aren't you getting a log message saying why the server is taking this action. We run NT servers & they permit unlimited client machines to use the same user account. Can Win2000 apply a restraint on the number of concurrent logons? If so, maybe this is your problem. Maybe the previous logon has not let go yet.

[ 06. August 2002, 18:06: Message edited by: JackLothian ]
_________________________
Jack

Top
#26493 - 2002-08-08 02:43 PM Re: Win98 Lock Outs
boshkov Offline
Fresh Scripter

Registered: 2002-08-05
Posts: 14
Loc: Michigan
I no longer get the failing to connect to kxprc service. I was able top fix that problem, but it appears that the users are still getting locked out. This only effects 3 Win98 workstations in the organization. It is a mix of 2000/98 Workstations.
Top
#26494 - 2002-08-08 02:53 PM Re: Win98 Lock Outs
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Do you have accounts defined in more than one domain? Win9x lockouts can occur when account "xyz" exists in more than one trusted domain. When the client connects to a resource, Win9x give the server the account and password hash. The resource server first checks its local SAM then queries all trusted domains. If the server locates a secondary account where the password is not sync'ed a lockout can occur. NT and higher offer a resource server domain\account and password hash avoiding the problem of duplicate accounts.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#26495 - 2002-08-08 03:01 PM Re: Win98 Lock Outs
boshkov Offline
Fresh Scripter

Registered: 2002-08-05
Posts: 14
Loc: Michigan
There is only 1 W2K Active Directory domain.
Top
#26496 - 2002-08-08 04:28 PM Re: Win98 Lock Outs
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Have you looked in the security event log of the PDC emulator for eventId: 644? These events log what computer caused the lockout to occur.

Also do these Win98 computers have password caching enabled? We have found that having password caching enabled leads to frequent lockout problems.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#26497 - 2002-08-08 04:36 PM Re: Win98 Lock Outs
boshkov Offline
Fresh Scripter

Registered: 2002-08-05
Posts: 14
Loc: Michigan
I do not see event id 644 in the event log on the PDC Emulator. Are you speaking in terms of password caching through IE?

B

Top
#26498 - 2002-08-08 04:40 PM Re: Win98 Lock Outs
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
I believe that MS recommends disabling Win9x caching in an NT domain. Also delete any local cached password files. Also check to see that "logon to NT domain" is enabled in the network properties.

Sometimes users will modify these parameters so they can work easier in a standalone mode.

Password caching is controlled through a registry entry. When it is enabled it sort of creates a local user manager for Win9x & when enabled Win9x caches it local logon ID & password. If this local ID or password becomes out of sync with the central domain's cached ID & password you get a conflict. The result will look like a lockout but in actual fact it will be rejected because of an invalid password.

[ 08. August 2002, 16:52: Message edited by: Jack Lothian ]
_________________________
Jack

Top
#26499 - 2002-08-08 04:47 PM Re: Win98 Lock Outs
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Win9x has the ability to cache passwords including network passwords. They are stored in *.PWL files.

Here some code I previously used. Please review it thoroughly before using it. Also, search TechNet for "DisablePWDCaching". There are ramifications when turning caching off, but we believe the benefits out way the the issues in our environment.
code:
If @inwin=1
;? "This script only runs on Win9x computers."
Return
Endif

Dim $PWkey, $PWstr, $ReturnCode, $PWval, $RC, $outfile, $ComputerName

$ComputerName=ReadValue("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName","ComputerName")
$outfile="\\ServerName\log$\PWL\$ComputerName.txt"
$RC=WriteProfileString($outfile,"Local","User","@UserID")

$PWkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network"
$PWstr = "DisablePwdCaching"

$ReturnCode = ExistKey($PWkey)
If $ReturnCode = 0
Gosub "DisableCache"
Else
$ReturnCode = AddKey($PWkey)
If $ReturnCode = 0
Gosub "DisableCache"
Else
$RC=WriteProfileString($outfile,"Local","Action","Error:$ReturnCode adding registry key :$PWkey")
Endif
RC=WriteProfileString($outfile,"Local","Action","Key does not exist")
Endif
Return

:DisableCache
$PWval=ReadValue($PWkey,$PWstr)
If @ERROR = 0
If $PWval <> 1
$RC=WriteValue($PWKey,$PWstr,1,"REG_DWORD")
If $RC = 0
del "%windir%\*.pwl"
$RC=WriteProfileString($outfile,"Local","Action","Disabled PW Caching")
Else
$RC=WriteProfileString($outfile,"Local","Action","Error Writing Key: @ERROR")
Endif
$RC=WriteProfileString($outfile,"Local","Action","PW Caching Enabled")
Else
$RC=WriteProfileString($outfile,"Local","Action","PW Caching Already Disabled")
Endif
Else
$RC=WriteProfileString($outfile,"Local","Action","Error reading Key: @ERROR")
Endif
Return



[ 08. August 2002, 16:48: Message edited by: Howard Bullock ]
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#26500 - 2002-08-08 04:52 PM Re: Win98 Lock Outs
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Have you set your domain audit policy to log failed logon attempts?
_________________________
Home page: http://www.kixhelp.com/hb/

Top
Page 1 of 2 12>


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 259 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.061 seconds in which 0.019 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org