#26481 - 2002-08-05 03:30 PM
Win98 Lock Outs
|
boshkov
Fresh Scripter
Registered: 2002-08-05
Posts: 14
Loc: Michigan
|
Has anyone out there ever had or saw this problem. Once I implemented KIX, it appears that the Windows 98 systems get locked out quite a bit. If I reconfigure the users to use their old DOS scripts, they are no longer getting locked out. This is only happening to the win9x systems. Windows 2000 and NT are fine. This is an active directory domain.
|
Top
|
|
|
|
#26483 - 2002-08-05 09:01 PM
Re: Win98 Lock Outs
|
boshkov
Fresh Scripter
Registered: 2002-08-05
Posts: 14
Loc: Michigan
|
SETTIME "\\amt-fs1"
USE "*" /delete
IF INGROUP("AMT Phone Router") ? "Mapping AMT Phone Router Drive" USE G: "\\amt_phone\c" ENDIF
IF INGROUP("AMT Design") ? "Mapping AMT Design Drive" USE H: "\\amt-irix-srv\design$" ENDIF
IF INGROUP("AMT Payables") ? "Mapping AMT Payables Drive" USE L: "\\Amt-fs1\payables6$" ENDIF
IF INGROUP("AMT Project Database") ? "Mapping AMT Project Database Drive" USE M: "\\Amt-fs1\PROJDB2$" ENDIF
IF INGROUP("AMT Executive Staff") ? "Mapping AMT Executive Staff Drive" USE N: "\\Amt-fs1\MANAGE$" ENDIF
IF INGROUP("AMT Paint") ? "Mapping AMT Paint Drive" USE R: "\\amt-irix-srv\amtpaint" ENDIF
IF INGROUP("AMT Special") ? "Mapping AMT Special Drive" USE S: "\\amt-irix-srv\amtsim" ENDIF
IF INGROUP("AMT SALES") ? "Mapping AMT Sales Drive" USE T: "\\Amt-fs1\SALE4$" ENDIF
IF INGROUP("AMT Systems") ? "Mapping AMT Systems Drive" USE X: "\\amt-irix-srv\systems$" ENDIF
IF INGROUP("Track IT") ? "Mapping AMT Track IT Drive" USE Y: "\\Amt-fs1\tiw4std" ENDIF
IF (INGROUP("AMT General Admin") OR INGROUP("AMT SALES")) ? "Mapping AMT General Admin Drives" USE J: "\\Amt-fs1\PADMIN3$" USE K: "\\Amt-fs1\ADMIN1$" ENDIF
IF INGROUP("AMT Group Leaders") ? "Mapping AMT Group Leaders Drives" USE M: "\\Amt-fs1\PROJDB2$" USE N: "\\Amt-fs1\MANAGE$" ENDIF
IF INGROUP("AMT Human Resources") ? "Mapping AMT Human Resources Drives" USE I: "\\Amt-fs1\HR5$" USE R: "\\Amt-fs1\RECRUITING$" ENDIF
? "Mapping General Drives" USE P: "\\AMT-FS1\PUB" USE Q: "\\INTRANET\QUALITY" USE U: @HOMESHR
EXIT
I am using Kix Version 4.10
|
Top
|
|
|
|
#26485 - 2002-08-05 09:10 PM
Re: Win98 Lock Outs
|
boshkov
Fresh Scripter
Registered: 2002-08-05
Posts: 14
Loc: Michigan
|
The script runs fine. Sometimes the script wont map various drives for WIN98 clients. It is not the same drive all the time. But the most annoying problem is after the drives are mapped, while the user is working, their account will just get locked out for no apparent reason. This all started once I implemented KIX. If I reconfigure the users account to run a regular DOS script other than the KIX script, he will not get locked out.
|
Top
|
|
|
|
#26486 - 2002-08-05 09:12 PM
Re: Win98 Lock Outs
|
boshkov
Fresh Scripter
Registered: 2002-08-05
Posts: 14
Loc: Michigan
|
I have not tried KIXStrip.
|
Top
|
|
|
|
#26489 - 2002-08-06 12:02 AM
Re: Win98 Lock Outs
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
boshkov,
Some comments: You will need to double-up on the $ for the hidden shares.
We also changed your nested INGROUP.
Running your code through KIXSTRIP, we see:
code:
BREAK ON CLS SETTIME "\\amt-fs1"
USE "*" /delete
IF INGROUP("AMT Phone Router") ? "Mapping AMT Phone Router Drive" USE G: "\\amt_phone\c" ENDIF
IF INGROUP("AMT Design") ? "Mapping AMT Design Drive" USE H: "\\amt-irix-srv\design$$" ENDIF
IF INGROUP("AMT Payables") ? "Mapping AMT Payables Drive" USE L: "\\Amt-fs1\payables6$$" ENDIF
IF INGROUP("AMT Project Database") ? "Mapping AMT Project Database Drive" USE M: "\\Amt-fs1\PROJDB2$$" ENDIF
IF INGROUP("AMT Executive Staff") ? "Mapping AMT Executive Staff Drive" USE N: "\\Amt-fs1\MANAGE$$" ENDIF
IF INGROUP("AMT Paint") ? "Mapping AMT Paint Drive" USE R: "\\amt-irix-srv\amtpaint" ENDIF
IF INGROUP("AMT Special") ? "Mapping AMT Special Drive" USE S: "\\amt-irix-srv\amtsim" ENDIF
IF INGROUP("AMT SALES") ? "Mapping AMT Sales Drive" USE T: "\\Amt-fs1\SALE4$$" ENDIF
IF INGROUP("AMT Systems") ? "Mapping AMT Systems Drive" USE X: "\\amt-irix-srv\systems$$" ENDIF
IF INGROUP("Track IT") ? "Mapping AMT Track IT Drive" USE Y: "\\Amt-fs1\tiw4std" ENDIF
IF INGROUP("AMT General Admin","AMT SALES") ? "Mapping AMT General Admin Drives" USE J: "\\Amt-fs1\PADMIN3$$" USE K: "\\Amt-fs1\ADMIN1$$" ENDIF
IF INGROUP("AMT Group Leaders") ? "Mapping AMT Group Leaders Drives" USE M: "\\Amt-fs1\PROJDB2$$" USE N: "\\Amt-fs1\MANAGE$$" ENDIF
IF INGROUP("AMT Human Resources") ? "Mapping AMT Human Resources Drives" USE I: "\\Amt-fs1\HR5$$" USE R: "\\Amt-fs1\RECRUITING$$" ENDIF
? "Mapping General Drives" USE P: "\\AMT-FS1\PUB" USE Q: "\\INTRANET\QUALITY" IF @homeshr <> "" USE U: @homeshr ENDIF
EXIT
HTH,
Kent
|
Top
|
|
|
|
#26490 - 2002-08-06 02:45 PM
Re: Win98 Lock Outs
|
boshkov
Fresh Scripter
Registered: 2002-08-05
Posts: 14
Loc: Michigan
|
I usually do not have a problem with the U: mapping. And i do not notice anything in the eventlog stating that there is an unsuccessful logon event. This is a Windows 2000 active directory domain replication is handled by default, especially to the PDC Emulator. I recently upgraded the version to 4.10 and KIX is being run on the netlogon share. I was getting an error message stating "Failed to locate/connect to KXRPC service." After I noticed that error message, I did install the KXRPC service on all the domain controllers. The problem still exists.
The hidden shares and the home directory map, but not all the time. Why did the statment for the hidden share need to be mapped with $$? And also, I am unsure as to what this statement does....I did not notice it in any documentation. I will try the new script though.
Thanks everyone for all your help..
B
|
Top
|
|
|
|
#26493 - 2002-08-08 02:43 PM
Re: Win98 Lock Outs
|
boshkov
Fresh Scripter
Registered: 2002-08-05
Posts: 14
Loc: Michigan
|
I no longer get the failing to connect to kxprc service. I was able top fix that problem, but it appears that the users are still getting locked out. This only effects 3 Win98 workstations in the organization. It is a mix of 2000/98 Workstations.
|
Top
|
|
|
|
#26494 - 2002-08-08 02:53 PM
Re: Win98 Lock Outs
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Do you have accounts defined in more than one domain? Win9x lockouts can occur when account "xyz" exists in more than one trusted domain. When the client connects to a resource, Win9x give the server the account and password hash. The resource server first checks its local SAM then queries all trusted domains. If the server locates a secondary account where the password is not sync'ed a lockout can occur. NT and higher offer a resource server domain\account and password hash avoiding the problem of duplicate accounts.
|
Top
|
|
|
|
#26495 - 2002-08-08 03:01 PM
Re: Win98 Lock Outs
|
boshkov
Fresh Scripter
Registered: 2002-08-05
Posts: 14
Loc: Michigan
|
There is only 1 W2K Active Directory domain.
|
Top
|
|
|
|
#26496 - 2002-08-08 04:28 PM
Re: Win98 Lock Outs
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Have you looked in the security event log of the PDC emulator for eventId: 644? These events log what computer caused the lockout to occur.
Also do these Win98 computers have password caching enabled? We have found that having password caching enabled leads to frequent lockout problems.
|
Top
|
|
|
|
#26497 - 2002-08-08 04:36 PM
Re: Win98 Lock Outs
|
boshkov
Fresh Scripter
Registered: 2002-08-05
Posts: 14
Loc: Michigan
|
I do not see event id 644 in the event log on the PDC Emulator. Are you speaking in terms of password caching through IE?
B
|
Top
|
|
|
|
#26499 - 2002-08-08 04:47 PM
Re: Win98 Lock Outs
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Win9x has the ability to cache passwords including network passwords. They are stored in *.PWL files.
Here some code I previously used. Please review it thoroughly before using it. Also, search TechNet for "DisablePWDCaching". There are ramifications when turning caching off, but we believe the benefits out way the the issues in our environment. code:
If @inwin=1 ;? "This script only runs on Win9x computers." Return Endif
Dim $PWkey, $PWstr, $ReturnCode, $PWval, $RC, $outfile, $ComputerName
$ComputerName=ReadValue("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName","ComputerName") $outfile="\\ServerName\log$\PWL\$ComputerName.txt" $RC=WriteProfileString($outfile,"Local","User","@UserID")
$PWkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network" $PWstr = "DisablePwdCaching"
$ReturnCode = ExistKey($PWkey) If $ReturnCode = 0 Gosub "DisableCache" Else $ReturnCode = AddKey($PWkey) If $ReturnCode = 0 Gosub "DisableCache" Else $RC=WriteProfileString($outfile,"Local","Action","Error:$ReturnCode adding registry key :$PWkey") Endif RC=WriteProfileString($outfile,"Local","Action","Key does not exist") Endif Return
:DisableCache $PWval=ReadValue($PWkey,$PWstr) If @ERROR = 0 If $PWval <> 1 $RC=WriteValue($PWKey,$PWstr,1,"REG_DWORD") If $RC = 0 del "%windir%\*.pwl" $RC=WriteProfileString($outfile,"Local","Action","Disabled PW Caching") Else $RC=WriteProfileString($outfile,"Local","Action","Error Writing Key: @ERROR") Endif $RC=WriteProfileString($outfile,"Local","Action","PW Caching Enabled") Else $RC=WriteProfileString($outfile,"Local","Action","PW Caching Already Disabled") Endif Else $RC=WriteProfileString($outfile,"Local","Action","Error reading Key: @ERROR") Endif Return
[ 08. August 2002, 16:48: Message edited by: Howard Bullock ]
|
Top
|
|
|
|
#26500 - 2002-08-08 04:52 PM
Re: Win98 Lock Outs
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Have you set your domain audit policy to log failed logon attempts?
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 259 anonymous users online.
|
|
|