免费视频淫片aa毛片_日韩高清在线亚洲专区vr_日韩大片免费观看视频播放_亚洲欧美国产精品完整版

轉(zhuǎn)載于：http://gnaw0725.blog.51cto.com/156601/668123

今天碰到10幾個(gè)人反映有些軟件不好用，登錄域后，無(wú)法訪問(wèn)共享。當(dāng)時(shí)我比較奇怪，到客戶端一一檢查意見(jiàn)，共享服務(wù)及軟件運(yùn)行服務(wù)全部正常。就嘗試重啟一下客戶端，重啟后就可以正常使用。但是有的也無(wú)法使用。

我就檢查AD服務(wù)器。發(fā)現(xiàn)這些賬號(hào)是鎖定狀態(tài)，我就將其“啟用”開(kāi)始使用。過(guò)差不多3個(gè)小時(shí)后又出現(xiàn)相同問(wèn)題。我就將策略中“用戶登錄事件”打開(kāi)來(lái)“審核[成功]及[失敗]”事件。找到日志如下，請(qǐng)大家?guī)臀曳治鲆幌?。該如何下手解決該問(wèn)題：

    User Logoff:                                                            
 event id 538
        User Name:        DSH-60$
        Domain:                xxx
        Logon ID:                (0x0,0xD344B2)
        Logon Type:        3

      Successful Network Logon:                        Event id：540
        User Name:        zjjia
        Domain:                xxx
        Logon ID:                (0x0,0xD28752)
        Logon Type:        3
        Logon Process:        Kerberos
        Authentication Package:        Kerberos
        Workstation Name:       
        Logon GUID:        {1b450639-51e1-689a-5eb6-072db56ed8a8}
        Caller User Name:        -
        Caller Domain:        -
        Caller Logon ID:        -
        Caller Process ID: -
        Transited Services: -
        Source Network Address:        10.2.211.5
        Source Port:        27306

回答：根據(jù)您的描述，我對(duì)這個(gè)問(wèn)題的理解是：您想了解如何著手解決賬戶鎖定的問(wèn)題。

如何排查賬戶鎖定
一、 準(zhǔn)備工作：您看到的文章來(lái)自活動(dòng)目錄seo http://gnaw0725.blog.51cto.com/156601/d-1

1. 域控制器層面：

（1） 確保您已經(jīng)利用Default Domain Controllers
Policy在您的域控制器上開(kāi)啟了如下圖所示的審核策略，如果您是初次設(shè)定此策略，請(qǐng)?jiān)谟蚩刂破魃线\(yùn)行"gpupdate /force"以刷新設(shè)置：

（2） 確認(rèn)所有域控制器上的安全日志大小合適（比如150MB），并且配置是“按需要改寫日志”：

（3） 確認(rèn)您已經(jīng)在您的域控制器上打開(kāi)了Netlogon.log，此日志有助于您將來(lái)排查NTLM驗(yàn)證來(lái)源：

Value Path: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Value Name: DBFlag
Value Type: REG_SZ
Value Data: 0x2080FFFF

Output: %windir%\debug\netlogon.log您看到的文章來(lái)自活動(dòng)目錄seo http://gnaw0725.blog.51cto.com/156601/d-1

參考：KB 109626 Enabling debug logging for the Net Logon service
http://support.microsoft.com/default.aspx?scid=kb;EN-US;109626

二、 排查階段：

1． 請(qǐng)先確認(rèn)發(fā)生問(wèn)題的用戶賬戶名，通常情況下，如果此用戶不是一直被鎖定，對(duì)排查來(lái)講可能就沒(méi)有什么實(shí)際的意義。所以請(qǐng)先確認(rèn)問(wèn)題是否總是發(fā)生，比如連續(xù)幾次解除鎖定后，又總是被再次鎖定。

2． 確認(rèn)完目標(biāo)用戶賬戶后，請(qǐng)?jiān)谟蛑械娜魏我慌_(tái)工作站上（比如您的工作機(jī)），將附件中的LockoutStatus.zip工具放到桌面，運(yùn)行（注意，如果您的當(dāng)前登錄賬戶不是域管理員，您需要輸入一個(gè)有權(quán)限的用戶憑據(jù)來(lái)訪問(wèn)目標(biāo)用戶賬戶的登錄失敗信息），輸入目標(biāo)賬戶名，登錄失敗的信息即顯示在輸出中（在本例中，testuser是一個(gè)被鎖定的賬戶）

3. 從輸出中，您可以容易的發(fā)現(xiàn)是哪臺(tái)DC接收到了失敗的憑據(jù)與一些相關(guān)詳細(xì)信息。對(duì)排查來(lái)講，我們需要定位到是哪一臺(tái)DC接收到了錯(cuò)誤的憑據(jù)，然后到此DC上進(jìn)行安全日志的分析。

4. 請(qǐng)前往定位到的DC，保存安全日志為.evt文件，保存Netlogon.log和Netlogon.bak到備份地點(diǎn)，開(kāi)始分析。

5. 在安全日志中，經(jīng)過(guò)條件過(guò)濾，您應(yīng)該能夠發(fā)現(xiàn)以下信息：您看到的文章來(lái)自活動(dòng)目錄seo http://gnaw0725.blog.51cto.com/156601/d-1

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 6/22/2007
Time: 3:24:13 PM
User: NT AUTHORITY\SYSTEM
Computer: DC2003
Description:
Pre-authentication failed:
User Name: TestUser
User ID: DOMAIN2003\TestUser
Service Name: krbtgt/domain2003
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 172.16.0.123

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Date: 6/22/2007
Time: 3:24:16 PM
User: NT AUTHORITY\SYSTEM
Computer: DC2003
Description:
User Account Locked Out:
Target Account Name: TestUser
Target Account ID: DOMAIN2003\TestUser
Caller Machine Name: XP1
Caller User Name: DC2003$
Caller Domain: DOMAIN2003
Caller Logon ID: (0x0,0x3E7)

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 6/22/2007
Time: 3:24:18 PM
User: NT AUTHORITY\SYSTEM
Computer: DC2003
Description:
Logon Failure:
Reason: Account locked out
User Name: testuser
Domain: domain2003
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: XP1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.16.0.123

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 6/22/2007
Time: 3:24:18 PM
User: NT AUTHORITY\SYSTEM
Computer: DC2003
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: testuser
Source Workstation: XP1
Error Code: 0xC0000234 （STATUS_ACCOUNT_LOCKED_OUT）

由于在測(cè)試的環(huán)境中只是一個(gè)簡(jiǎn)單的情況，所以您很容易發(fā)現(xiàn)TestUser的無(wú)效憑據(jù)來(lái)源于一臺(tái)叫XP1的客戶機(jī)，IP地址是172.16.0.123。現(xiàn)實(shí)環(huán)境中，您需要仔細(xì)分析安全日志，查找無(wú)效憑據(jù)的來(lái)源與嘗試的次數(shù)，往往用戶賬戶的鎖定是由于連續(xù)的無(wú)效憑據(jù)導(dǎo)致。日志分析的過(guò)程是無(wú)法用任何程序簡(jiǎn)單代替的。

6. 如果您發(fā)現(xiàn)是NTLM驗(yàn)證方式，您可以再次研究Netlogon.log。請(qǐng)將附件中的Nlparse.zip工具釋放，用它讀取您保存的Netlogon.log：您看到的文章來(lái)自活動(dòng)目錄seohttp://gnaw0725.blog.51cto.com/156601/d-1

然后點(diǎn)擊“Extract”，會(huì)生成Netlogon.log-Out.csv文件，打開(kāi)此文件，您會(huì)發(fā)現(xiàn)有如下信息被記錄：

06/22 ,15:24:15,SamLogon: Network logon,domain2003\testuser,XP1,0xC000006A
06/22 ,15:24:16,SamLogon: Network logon,domain2003\testuser,XP1,0xC000006A
06/22 ,15:24:17,SamLogon: Network logon,domain2003\testuser,XP1,0xC000006A
06/22 ,15:24:18,SamLogon: Network logon,domain2003\testuser,XP1,0xC0000234

不難看出，無(wú)效憑據(jù)來(lái)自XP1計(jì)算機(jī)，連續(xù)嘗試三次無(wú)效密碼后，賬戶被鎖定。于是，您就能夠確定導(dǎo)致TestUser被鎖定的原因是XP1在連續(xù)嘗試無(wú)效密碼。

三、 目標(biāo)計(jì)算機(jī)診斷階段：

在定位到目標(biāo)計(jì)算機(jī)后，要再次深入定位是什么在發(fā)送無(wú)效憑據(jù)往往是相當(dāng)困難的。如果問(wèn)題緊急，我們通常直接將定位到的目標(biāo)計(jì)算機(jī)離線以防止其將重要賬戶鎖定。當(dāng)然，您可以檢查一下
已知的一些常見(jiàn)原因：

Applications
---------------------------
Many applications will cache credentials or keep active threads with credentials after a change in password resulting in the old password continuing to be used.您看到的文章來(lái)自活動(dòng)目錄seohttp://gnaw0725.blog.51cto.com/156601/d-1

Service Accounts
-----------------------------------
Service Account passwords are cached by Service Control Manager (SCM) on member computers and domain controllers in the forest. Resetting the password for a service account without resetting the password in SCM will cause account lockouts of the service account. Look for a pattern in Netlogon and event logs from individual clients as they retry logon authentication using the previous password.

Bad Password Threshold set too low
---------------------------------------------
This is probably the most common configuration issue. Many organizations have the setting at three or five attempts. By keeping this value too low, erroneous lockouts will take place. The recommended value for this policy setting is ten.

User logging on to multiple machines
-----------------------------------------------------
If a user is concurrently logged on to multiple computers, the threads of network applications running on those computers may run in the context of that locally logged on user when accessing resources in the domain. If this user changes his/her password on one of the computers, applications running on the other computers will still use the original password. As those applications authenticate when accessing network resources, the old password is still being used, and the user’s account becomes locked. When changing the password, log off from all consoles including
Terminal Service sessions, change the password from a single console, and log off there as well.您看到的文章來(lái)自活動(dòng)目錄seohttp://gnaw0725.blog.51cto.com/156601/d-1

Scheduled Tasks
--------------------------------------
Scheduled processes may have been configured to start using credentials that have since expired.

Persistent Drive mappings
---------------------------------------------
Persistent drives may have been mapped using credentials that have since expired. The simplest way to ensure current credentials are used is to cancel and re-establish the mapping. Persistent Net Use shares are often the cause of users locking themselves out accidentally. When explicit credentials are entered while connecting to a share, the credential is not persistent unless it is explicitly saved in Stored User Names and Passwords, whereas the mapping is consistent. Every time the user logs off, logs on, or reboots, Windows attempts to restore the connection, and the authentication attempt fails because there are no stored credentials. This increments the badPwdCount attribute. To avoid this problem,
configure Net Use not to make connections persistent. To do this, type net use /persistent:no at a command prompt.

Disconnected Terminal Server sessions
-------------------------------------------
Disconnected sessions may be running a process that is using credentials or a mapped drive. A disconnected session can have the exact same effect as a user with multiple interactive logons. The only difference is the source of the lockout comes from a Terminal Server.您看到的文章來(lái)自活動(dòng)目錄seo http://gnaw0725.blog.51cto.com/156601/d-1

Service Accounts
-----------------------------------------
By default, many computer services are configured to start/log on using the “Local System” account. However, a service logon account can be manually configured to log on using a specific user account/password. If a service is configured to start with a specific user account and that user later changes his/her password, the service logon property will need to be updated with the new password or that service may lock out that users account.

同時(shí)，您也可以檢查是否是以下KB文檔中提及的已知情況：

KB 841075 Trying to connect to a share via the "Run" command of the Explorer can lead to an account lockout.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841075

無(wú)效憑據(jù)的來(lái)源相當(dāng)廣泛，并往往不限于Microsoft的產(chǎn)品，所以排查的過(guò)程往往也有相當(dāng)?shù)碾y度并且也是無(wú)法利用程序或腳本來(lái)取代的。

詳細(xì)資料
以上內(nèi)容為您提供了一個(gè)排查的例子，如果您需要Troubleshooting Account Lockout更為詳細(xì)的資料，請(qǐng)閱讀附件中提供的Troubleshooting Account Lockout.zip文檔。此文檔提供了迄今為止最為詳盡的Account Lockout參考資料與排查方法，相信會(huì)成為您診斷Account Lockout問(wèn)題的最佳文檔。您看到的文章來(lái)自活動(dòng)目錄seohttp://gnaw0725.blog.51cto.com/156601/d-1

其他信息
Account Lockout 不是用來(lái)保護(hù)用戶賬戶安全性的最佳做法，使用密碼復(fù)雜性策略或Smart Card等方式才是更為安全，有效的保護(hù)用戶賬戶安全性的方法。同時(shí)，如果您的賬戶鎖定閥值設(shè)定得太低，比如10次以下，那么您有可能面對(duì)大量的用戶賬戶鎖定問(wèn)題而被迫在其上花費(fèi)大量的時(shí)間與精力。根據(jù)Windows Server 2003 Security Guide，如果您決定使用Account Lockout，請(qǐng)參考以下推薦的設(shè)定：

Setting Legacy Client Enterprise Client Specialized Security - Limited Functionality
Account lockout duration 30 minutes 30 minutes 15 minutes
Account lockout threshold 50 invalid login attempts 50 invalid login attempts 10 invalid login attempts
Reset account lockout counter after 30 minutes 30 minutes 15 minutes

參考鏈接：http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch03.mspx