What is Loopback Policy in Group Policy?

What is Loopback Policy in Group Policy?

Group Policy Setting Apply Order

Enforcing and Blocking Group Policy

How to apply a Group Policy Object to individual users or computer

How to apply a Group Policy Object to individual users or computer

Last week I showed you how to exclude an individual users from having a Group Policy Object (GPO) applied and this time I will show you how to properly apply a GPO to an individual user or computer. As I previously mentioned it is always best to use a security groups with GPO filtering even if you are only going applying it to a single user or computer. This avoids ever have to go back and modify the GPO security filtering if you need to add more object to the policy in the future.

Note: Before I start I should point out a common mistake here is to remove “Authenticated Users” directory from the Security Filtering section on the Group Policy Object.

DONT DO THIS!!!

You should never do this as this however as this can cause “Inaccessible” (see image below) error messages on Group Policy Objects in the Group Policy Management Console for anyone who is not an Domain Administrator. This happens because you have removed the ability to for the user to read contents GPO but don’t worry this does not mean the policy will be applied to that user.

Step 1. Select the Group Policy Object in the Group Policy Management Console (GPMC) and the click on the “Delegation” tab and then click on the “Advanced” button.

Step 2. Select the “Authenticated Users” security group and then scroll down to the “Apply Group Policy” permission and un-tick the “Allow” security setting.

Note: That the “Allow” permission for “Read” still needs to remain ticked as this prevents the Inaccessible message as mentioned above.

Step 3. Now click on the “Add” button and select the group (recommended) that you want to have this policy apply. Then select the group (e.g. “Accounting Users”) and scroll the permission list down to the “Apply group policy” option and then tick the “Allow” permission.

This Group Policy will now only apply to users or computers that are a member of the Accounting Users security group. However you still need to remember that the user and/or computer still needs to located under the scope of the Group Policy Object for this policy to be applied.

the correct way to do this is using WMI filters. But there is an
easier way which I use all the time.

1. Create the GPO and link at as usual.
2. On the GPMC select the GPO and under "Security Filtering" delete
"Authenticated Users"
3. Click Add under Security filtering and selet the workstation you want the
GPO applied to. (you will need to select "Object type" - computers else you
won't be able to select a workstation)

Now the GPO will only be applied to that workstation.

What Is Kernel Memory in Task Manager?

What Is Kernel Memory in Task Manager?

The kernel memory in the task manager is a part of the total memory available in a computer that is blocked off for the operating system's processes. The total memory consists of the RAM (random-access memory) and the virtual memory. The "Paged" under kernel memory in the task manager refers to the part of the virtual memory that is dedicated to the kernel, while the "Nonpaged" refers to the dedicated kernel memory in RAM. The value for "Paged" and "Nonpaged" varies because some kernel processes are moved from the RAM to the virtual memory and vice versa.

Background

·         The idea of kernel memory comes from the computer structure, which has a kernel layerthat is responsible for the core processes to run the operating system. When you run your computer during startup, the kernel layer identifies the processes needed to load your OS. These processes are essential and thus kernel memory was developed as part of memory management to ensure that there is always an available and dedicated memory for core processes.

Nonpaged Kernel Memory

·         The nonpaged kernel memory in task manager refers to the kernel memory that uses your RAM. Operating system processes initially use the RAM during startup, but after it has been loaded, memory management transfers some of the processes to the virtual memory to free up your RAM for other applications. Your computer actively manages the memory by continuously swapping OS processes between the RAM and the virtual memory. The processes that use the RAM are called nonpaged, while those that are transferred to the virtual memory are called paged.

Paged Kernel Memory

·          Virtual memory is used to take off some load from the RAM, making the RAM available for other applications. It uses your hard disk space by creating a filein your root folder named pagefile.sys. Similar to RAM, a portion of the pagefile.sys is blocked off for kernel memory. Idle processes used by the OS are transferred to the virtual memory. The information that you see in the task manager for "Paged" under "Kernel Memory" is the amount used for the kernel.

Available Physical Memory

·         The "Available" information under "Physical Memory" of the task manager is the free space of RAM that can be used for other applications. This value will never be zero because some processes will always be transferred to the virtual memory.

Virtual Memory

·         Virtual memory extends the limited capacity of RAM. For RAM to always have available memory for running applications, some processes are transferred to the pagefile.sys. The total virtual memory currently used by your computer is the "Total" under "Commit Charge" in Windows Task Manager. This total is the sum of the "Mem Usage" you see in the "Processes" tab.

What is Kernel Memory?

Kernel memory is the Operating System's memory used to complete the internal operations necessary to run the computer. It manages the devices, memory, and communication process. To find more information click here:

How to Troubleshoot High Memory Usage - Part 1

Problem

How do I troubleshoot high memory usage and memory performance issues?

Solution

Use Windows Task Manager to monitor memory

1. Press CTRL+ALT+DELETE and select Task Manager.
2. Click the Performance tab.
3. Monitor the following over time:
   
   • Under Physical Memory (K), check to see if the Available value decreases. If so, you might have a memory leak.
   • Under Kernel Memory (K), observe changes in Paged and Non-paged memory to identify if it is a kernel paged or non-paged memory leak. 
4. If you identify a leak, click the Processes tab, and select View.
5. Select Columns and enable the following:
   
   • Page Faults
   • Virtual Memory Size
   • Paged Pool
   • Non-paged Pool
   • Handle Count
   • Thread Count.
6. In the Processes tab, click Mem Usage to bring the process using the most memory on the top.
   
   NOTE: If you identify a process using high memory and not releasing it, use the following information to help troubleshoot the issue. You might also be requested to provide a process dump to help identify the cause.  

PoolMon and PerfMon
For a more in depth and accurate analysis, run PoolMon and PerfMon at the same time.

PoolMon
IMPORTANT: This applies if you want to use PoolMon on Windows XP or earlier. You must enable Gflags.exe to enable pool tagging. Pool tagging is permanently enabled on Windows Server 2003 and later.

1. If you are using XP, enable pool tagging as follows. If you are using Windows 2003 or later, skip to Step 2.
   
   • Enable pool tagging by using a dialog box:
     1. Click Start, Run, and type Gflags.
     2. In the dialog box, enable Enable Pool Tagging.
     3. Restart your computer.
         
   • Enable pool tagging by using the command line:
     1. Click Start, Run, type cmd, and press ENTER.
     2. Type the following command and press ENTER:
        
        gflags /r +ptg
         
     3. Restart your computer.
         
2. Prepare to run PoolMon:
   1. Poolmon.exe is contained in Microsoft Windows Driver Kit (WDK). You can download the WDK from http://www.microsoft.com/download/en/details.aspx?id=11800. 
   2. Install PoolMon on the computer you want to test, following the Microsoft product instructions.
       
3. This example outlines a procedure for using PoolMon to detect a memory leak:
    
   1. Click Start, Run, type cmd, and press ENTER.
   2. Navigate to the PoolMon directory.
   3. Type the following command and press ENTER:
      
      IMPORTANT: To obtain the most accurate results, follow the instructions below accurately. Starting PoolMon changes the data, therefore you must let it run until it reaches a steady state and the data is reliable.
      
      poolmon -b -p -r -n <filename>.log
      Let PoolMon run for at least few hours, sometimes it might need to run for few days.
       
   4. Stop PoolMon, wait for a 30 minutes, and then restart PoolMon.
      
      IMPORTANT: Repeat this every 30 minutes for at least two hours.
       
   5. To be able to take multiple snapshots over time the below script can assist:
      
      @ECHO off
      :LOOP
      ECHO %DATE %TIME% >>filename.log
      Poolmon -b -p -r -n filename.log
      Ping -n seconds 127.0.0.1 >NULL
      GOTO LOOP
      
      NOTE: for the seconds, McAfee recommends every 15 minutes.
       
   6. When data collection is complete, examine the following values for each tag, and note any that continually increase:
      • Diff (allocations minus free bytes)
      • Bytes (number of bytes allocated minus number of bytes freed)
         
   1. Examine the allocations that were increasing, and determine whether the bytes are now freed. Allocations that have still not been freed, or have continued to increase in size are the likely cause.

For more details on PoolMon usage, see http://msdn.microsoft.com/en-us/library/ff547083(v=vs.85).aspx.
 

PerfMon
PerfMon offers several methods to save captured data. However, McAfee uses Microsoft Binary Performance Log (BLG) format to troubleshoot performance issues.

Windows 7 users

1. Click Start, Run, type cmd, and press ENTER.
2. Type the following command and press ENTER:
   
   perfmon
    
3. Click Data Collector Sets, User Defined.
4. Right-click User Defined, select New, and select Data Collector Set.
5. Type a name (for example, McAfee <date_timestamp>), select Create manually, and click OK.
6. Under Create data logs, only select Performance counter, and click Next.
7. Click Add. In the next page from the drop-down list, select Processor, select <All instances>,  and click Add.
8. Select Memory from the drop-down list and select <All instances>,  then click Add.
9. Select Process from the drop-down list, and select <All instances> from the next drop-down list.
10. Click Add, OK, Next, Next, then select Start this data collector set now, then click Finish.
    Wait for the data to run long enough to capture the information and collect the log while reproducing the issue.
11. Right-click User Defined, select and right-click the <log name> and click Stop.
12. Retrieve the log from C:\Perflogs\Admin\examplename\computername_date-time\DataColletor01.blg.
    

Windows XP users

1. Click Start, Run, type cmd, and press ENTER.
2. Type the following command and press ENTER:
   
   perfmon
    
3. Click Performance Logs and Alerts.
4. Right-click Counter logs, and select New Log Settings.
5. Type a name (for example, McAfee <date_timestamp>) and click OK.
6. Click Add Objects, select Processor, and click Add.
7. Select Memory, and click Add, Close, Add counters.
8. Under Performance Object,, select process from the drop-down list.
9. Select All counters and select All instances, Add, Close.
10. Select Apply and click OK to continue.
    Wait for the data to run long enough to capture the information and collect the log while reproducing the issue.
11. Click the Stop icon on the menu bar.
12. Retrieve the log  from C:\perflogs\logs.blg 

DNS Resource Records

Different types of resource records can be used to provide DNS-based data about computers on a TCP/IP network. This section describes the following resource records:

• SOA
• NS
• A
• PTR
• CNAME
• MX
• SRV

Next, it lists some of the other resource records specified by RFC standards. Finally, it lists resource records that are specific to the Windows 2000 implementation and one resource record specified by the ATM Forum.

SOA Resource Records

Every zone contains a Start of Authority (SOA) resource record at the beginning of the zone. SOA resource records include the following fields:

• The Owner , TTL , Class , and Type fields, as described in "Resource Record Format" earlier in this chapter.
• The authoritative server field shows the primary DNS server authoritative for the zone.
• The responsible person field shows the e-mail address of the administrator responsible for the zone. It uses a period (.) instead of an at symbol (@).
• The serial number field shows how many times the zone has been updated. When a zone's secondary server contacts the master server for that zone to determine whether it needs to initiate a zone transfer, the zone's secondary server compares its own serial number with that of the master. If the serial number of the master is higher, the secondary server initiates a zone transfer.
• The refresh field shows how often the secondary server for the zone checks to see whether the zone has been changed.
• The retry field shows how long after sending a zone transfer request the secondary server for the zone waits for a response from the master server before retrying.
• The expire field shows how long after the previous zone transfer the secondary server for the zone continues to respond to queries for the zone before discarding its own zone as invalid.
• The minimum TTL field applies to all the resource records in the zone whenever a time to live value is not specified in a resource record. Whenever a resolver queries the server, the server sends back resource records along with the minimum time to live. Negative responses are cached for the minimum TTL of the SOA resource record of the authoritative zone.

The following example shows the SOA resource record:

noam.reskit.com. IN SOA (

noamdc1.noam.reskit.com. ; authoritative server for the zone

administrator.noam.reskit.com. ; zone admin e-mail

; (responsible person)

5099 ; serial number

3600 ; refresh (1 hour)

600 ; retry (10 mins)

86400 ; expire (1 day)

60 ) ; minimum TTL (1 min)

Top Of Page 

NS Resource Records

The name server (NS) resource record indicates the servers authoritative for the zone. They indicate primary and secondary servers for the zone specified in the SOA resource record, and they indicate the servers for any delegated zones. Every zone must contain at least one NS record at the zone root.

For example, when the administrator on reskit.com delegated authority for the noam.reskit.com subdomain to noamdc1.noam.reskit.com., the following line was added to the zones reskit.com and noam.reskit.com:

noam.reskit.com. IN NS noamdc1.noam.reskit.com.

Top Of Page 

A Resource Records

The address (A) resource record maps an FQDN to an IP address, so the resolvers can request the corresponding IP address for an FQDN. For example, the following A resource record, located in the zone noam.reskit.com, maps the FQDN of the server to its IP address:

noamdc1 IN A 172.16.48.1

Top Of Page 

PTR Records

The pointer (PTR) resource record , in contrast to the A resource record, maps an IP address to an FQDN. For example, the following PTR resource record maps the IP address of noamdc1.noam.reskit.com to its FQDN:

1.48.16.172.in-addr.arpa. IN PTR noamdc1.noam.reskit.com.

Top Of Page 

CNAME Resource Records

The canonical name (CNAME) resource record creates an alias (synonymous name) for the specified FQDN. You can use CNAME records to hide the implementation details of your network from the clients that connect to it. For example, suppose you want to put an FTP server named ftp1.noam.reskit.com on your noam.reskit.com subdomain, but you know that in six months you will move it to a computer named ftp2.noam.reskit.com, and you do not want your users to have to know about the change. You can just create an alias called ftp.noam.reskit.com that points to ftp1.noam.reskit.com, and then when you move your computer, you need only change the CNAME record to point to ftp2.noam.reskit.com. For example, the following CNAME resource record creates an alias for ftp1.noam.reskit.com:

ftp.noam.reskit.com. IN CNAME ftp1.noam.reskit.com.

Once a DNS client queries for the A resource record for ftp.noam.reskit.com, the DNS server finds the CNAME resource record, resolves the query for the A resource record for ftp1.noam.reskit.com, and returns both the A and CNAME resource records to the client.

 Note

According to RFC 2181, there must be only one canonical name per alias.

Top Of Page 

MX Resource Records

The mail exchange (MX) resource record specifies a mail exchange server for a DNS domain name. A mail exchange server is a host that will either process or forward mail for the DNS domain name. Processing the mail means either delivering it to the addressee or passing it to a different type of mail transport. Forwarding the mail means sending it to its final destination server, sending it using Simple Mail Transfer Protocol (SMTP) to another mail exchange server that is closer to the final destination, or queuing it for a specified amount of time.

 Note

Only mail exchange servers use MX records.

If you want to use multiple mail exchange servers in one DNS domain, you can have multiple MX resource records for that domain. The following example shows MX resource records for the mail servers for the domain noam.reskit.com.:

*.noam.reskit.com. IN MX 0 mailserver1.noam.reskit.com.

*.noam.reskit.com. IN MX 10 mailserver2.noam.reskit.com.

*.noam.reskit.com. IN MX 10 mailserver3.noam.reskit.com.

The first three fields in this resource record are the standard owner, class, and type fields. The fourth field is the mail server priority , or preference value. The preference value specifies the preference given to the MX record among MX records. Lower priority records are preferred. Thus, when a mailer needs to send mail to a certain DNS domain, it first contacts a DNS server for that domain and retrieves all the MX records. It then contacts the mailer with the lowest preference value.

For example, suppose Jane Doe sends an e-mail message to JohnDoe@noam.reskit.com on a day that mailserver1 is down, but mailserver2 is working. Her mailer tries to deliver the message to mailserver1, because it has the lowest preference value, but it fails because mailserver1 is down. This time, Jane's mailer can choose either mailserver2 or mailserver3, because their preference values are equal. It successfully delivers the message to mailserver2.

To prevent mail loops, if the mailer is on a host that is listed as an MX for the destination host, the mailer can deliver only to an MX with a lower preference value than its own host.

 Note

The sendmail program requires special configuration if a CNAME is not referenced in the MX record.

Top Of Page 

SRV Records

With MX records, you can have multiple mail servers in a DNS domain, and when a mailer needs to send mail to a host in the domain, it can find the location of a mail exchange server. But what about other applications, such as the World Wide Web or telnet?

Service (SRV) resource records enable you to specify the location of the servers for a specific service, protocol, and DNS domain. Thus, if you have two Web servers in your domain, you can create SRV resource records specifying which hosts serve as Web servers, and resolvers can then retrieve all the SRV resource records for the Web servers.

The format of an SRV record is as follows:

_Service._Proto.Name TTL Class SRV Priority Weight Port Target

• The _ Service field specifies the name of the service, such as http or telnet. Some services are defined in the standards, and others can be defined locally.
• The _ Proto field specifies the protocol, such as TCP or UDP.
• The Name field specifies the domain name to which the resource record refers.
• The TTL and Class fields are the same as the fields defined earlier in this chapter.
• The Priority field specifies the priority of the host. Clients attempt to contact the host with the lowest priority.
• The Weight field is a load balancing mechanism. When the priority field is the same for two or more records in the same domain, clients should try records with higher weights more often, unless the clients support some other load balancing mechanism.
• The Port field shows the port of the service on this host.
• The Target field shows the fully qualified domain name for the host supporting the service.

The following example shows SRV records for Web servers:

_http._tcp.reskit.com. IN SRV 0 0 80 webserver1.noam.reskit.com.

_http._tcp.reskit.com. IN SRV 10 0 80 webserver2.noam.reskit.com.

 Note

This example does not specify a TTL. Therefore, the resolver uses the minimum TTL specified in the SOA resource record.

If a computer needs to locate a Web server in the reskit.com DNS domain, the resolver sends the following query:

_http._tcp.www.reskit.com.

The DNS server replies with the SRV records listed above. The resolver then chooses between WebServer1 and WebServer2 by looking at their priority values. Because WebServer1 has the lowest priority value, the DNS server chooses WebServer1.

 Note

If the priority values had been the same, but the weight values had been different, the client would have chosen a Web server randomly, except that the server with the highest weight value would have had a higher probability of being chosen.

Next, the resolver requests the A record for webserver1.reskit.com, and the DNS server sends the A record. Finally, the client attempts to contact the Web server.

For more information about SRV records, see the Internet Engineering Task Force (IETF) link on the Web Resources page. Windows 2000 supports the Internet Draft titled "A DNS RR for specifying the location of services (DNS SRV)."

Top Of Page 

Less Common Resource Records

Table 5.3 shows some other resource records and the RFCs that define them. Many of these resource records are considered experimental.

Table 5.3 Less Common Resource Record Types

Record Type	RFC	Description
AAAA	1886	Special address record that maps a host (computer or other network device) name to an IPv6 address.
AFSDB	1183	Gives the location of either an Andrew File System (AFS) cell database server, or a Distributed Computing Environment (DCE) cell's authenticated server. The AFS system uses DNS to map a DNS domain name to the name of an AFS cell database server. The Open Software Foundation's DCE Naming Service uses DNS for a similar function.
HINFO	1035	The host information resource record identifies a host's hardware type and operating system. The CPU Type and Operating System identifiers come from the computer names and system names listed in RFC 1700.
ISDN	1183	The Integrated Services Digital Network (ISDN) resource record is a variation of the A (address) resource record. Rather than mapping an FQDN to an IP address, the ISDN record maps the name to an ISDN address. An ISDN address is a phone number that consists of a country/region code, an area code or country/region code, a local phone number, and optionally, a subaddress. The ISDN resource record is designed to be used in conjunction with the route through (RT) resource record.
MB	1035	The mailbox (MB) resource record is an experimental record that specifies a DNS host with the specified mailbox. Other related experimental records are the mail group (MG) resource record, the mailbox rename (MR) resource record, and the mailbox information (MINFO) resource record.
MG	1035	The mail group (MG) resource record is an experimental record that specifies a mailbox that is a member of the mail group (mailing list) specified by the DNS domain name. Other related experimental records are the MB resource record, the MR resource record, and the MINFO resource record.
MINFO	1035	The MINFO resource record is an experimental record that specifies a mailbox that is responsible for the specified mailing list or mailbox. Other related experimental records are the MB resource record, the MG resource record, and the MR resource record.
MR	1035	The MR resource record is an experimental record that specifies a mailbox that is the proper rename of another specified mailbox. Other related experimental records are the MB resource record, the MG resource record, and the MINFO resource record.
RP	1183	Identifies the responsible person (RP) for the specified DNS domain or host.
RT	1183	The route through (RT) resource record specifies an intermediate host that routes packets to a destination host. The RT record is used in conjunction with the ISDN and X25 resource records. It is syntactically and semantically similar to the MX record type and is used in much the same way.
TXT	1035	The text resource (TXT) record associates general textual information with an item in the DNS database. A typical use is for identifying a host's location (for example, Location: Building 26S, Room 2499). A single TXT record can contain multiple strings, up to 64 kilobytes (KB).
WKS	1035	The well-known service (WKS) resource record describes the services provided by a particular protocol on a particular interface. The protocol is usually UDP or TCP, but can be any of the entries listed in the Windows 2000 Protocols file located in % SystemRoot%\System32\Drivers\Etc\Protocol. The services are the services below port number 256 from the Windows 2000 Services file located in %SystemRoot %\System32\Drivers\Etc\Services.
X.25	1183	The X.25 resource record is a variation of the A (address) resource record. Rather than mapping a FQDN to an IP address, the X.25 record maps the name to an X.121 address. X.121 is the International Standards Organization (ISO) standard that specifies the format of addresses used in X.25 networks. The X.25 resource record is designed to be used in conjunction with the route through (RT) resource record.

Top Of Page 

Resource Records Not Defined in RFCs

In addition to the resource record types listed in the RFCs, Windows 2000 uses the following resource record types, shown in Table 5.4.

Table   5.4 Resource Record Types Not Defined in the RFCs

Name	Description
WINS	The Windows 2000 DNS server can use a WINS server for looking up the host portion of a DNS name that does not exist in the DNS zone authoritative for the name.
WINS reverse lookup (WINS-R)	This entry is used in a reverse lookup zone for finding the host portion of the DNS name if given its IP address. A DNS server issues a NetBIOS adapter status query if the zone authoritative for the queried IP address does not contain the record and does contain the WINS-R resource record.
ATMA	The ATMA resource record, defined by the ATM Forum, is used to map DNS domain names to ATM addresses. For more information, contact the ATM Forum for the ATM Name System Specification Version 1.0.

Top Of Page 

Delegation and Glue Records

Delegation and glue records are records that you add to a zone in order to delegate a subdomain into a separate zone. A delegation is an NS record in the parent zone that lists the name server authoritative for the delegated zone. A glue record is an A record for the name server authoritative for the delegated zone.

For example, suppose the name server for the DNS domain reskit.com, delegated authority for the noam.reskit.com zone to the name server noamNS.noam.reskit.com. You add the following records to the reskit.com zone:

noam.reskit.com. IN NS noamNS.noam.reskit.com

noamNS.noam.reskit.com. IN A 172.16.54.1

Delegations are necessary for name resolution. Glue records are also necessary if the name server authoritative for the delegated zone is also a member of that domain. A glue record is necessary in the example above because noamNS.noam.reskit.com. is a member of the delegated domain noam.reskit.com. However, if it was a member of a different domain, the resolver can perform standard name resolution to resolve the name of the authoritative name server to an IP address.

When a resolver submits a query for a name in the child zone to the name server that is authoritative for the parent zone, the server authoritative for the parent zone checks its zone. The delegation tells it which name server is authoritative for the child zone. The server authoritative for the parent zone can then return a referral to the resolver.

How to TroubleShoot Account Lockout Issues?

Account Lockout Tools

The LockoutStatus.exe Tool

The LockoutStatus.exe displays information about a locked out account. It does this by gathering account lockout-specific information from Active Directory. The following list describes the different information that is displayed by the tool:

• DC Name: Displays all domain controllers that are in the domain.
  
• Site: Displays the sites in which the domain controllers reside.
  
• UserState: Displays the status of the user and whether that user is locked out of their account.
  
• Bad Pwd Count: Displays the number of bad logon attempts on each domain controller. This value confirms the .domain controllers that were involved in the account lockout.
  
• Last Bad Pwd: Displays the time of the last logon attempt that used a bad password.
  
• Pwd Last Set: Displays the value of the last good password or when the computer was last unlocked.
  
• Lockout Time: Displays the time when the account was locked out.
  
• Orig Lock: Displays the domain controller that locked the account (the domain controller that made the originating write to the LockoutTime attribute for that user).
  

Where to Obtain the LockoutStatus.exe Tool

LockoutStatus.exe is included with the ALTools.exe package that is available at "Account Lockout and Management Tools" on the Microsoft Web site.

How to Install the LockoutStatus.exe Tool

To install the LockoutStatus.exe tool, install the ALTools package on your domain controller.

How to Use the LockoutStatus.exe Tool

To run the LockoutStatus.exe tool and display information about a locked out user account:

1. Double-click LockoutStatus.exe.
   
2. On the File menu, click Select target.
   
3. Type the user name whose lockout status on the enterprise's domain controllers you want information about.
   

The following figure displays an example where two domain controllers have a badPwdCount value of 5, which is also the bad password threshold. One domain controller is the PDC operations master, and the other domain controller is the authenticating domain controller. These two domain controllers are displayed because of password chaining from the authenticating domain controller to the PDC.

Figure 2: The LockoutStatus.exe Tool

The ALockout.dll Tool

The ALockout.dll tool and the Appinit.reg script are included in the ALTools package. ALockout.dll is a logging tool that may help you determine the program or process that is sending the incorrect credentials in an account lockout scenario. The tool attaches itself to a variety of function calls that a process might use for authentication. The tool then saves information about the program or process that is making those calls into the Systemroot\Debug\Alockout.txt file. The events are time stamped so that you can match them to the events that are logged in either the Netlogon log files or the Security event log files.

You can use Appinit.reg to initialize the .dll file. This file provides no other functionality.

Note
Microsoft does not recommend that you use this tool on servers that host network programs or services. You should not enable ALockout.dll on Exchange servers because the ALockout.dll tool may prevent the Exchange store from starting.

Important
Before you install the ALockout.dll tool on any mission-critical computer, make a full backup copy of the operating system and any valuable data.

For more information, see "Errors Installing Exchange Server with CleanSweep" on the Microsoft Knowledge Base.

In most account lockout scenarios, you should install ALockout.dll on client computers. Use the information that is stored in both the Netlogon log file and the Security event log to determine the computers from which the incorrect credentials are being sent that are locking out the user's account. When you install the ALockout.dll tool on the client computer that is sending the incorrect credentials, the tool logs the process that is sending the incorrect credentials.

Where to Obtain the ALockout.dll Tool

ALockout.dll is included with the ALTools.exe package that is available at "Account Lockout and Management Tools" on the Microsoft Web site.

How to Install the ALockout.dll Tool

There two versions of the ALockout.dll file. One version of the file is for computers that are running a Windows 2000 operating system, and the other version of the file is for computers that are running a Windows XP operating system. View the Readme.txt file that is included with the ALTools package.

To install ALockout.dll

1. On the computer that has generated account lockout error messages in the Security event log, copy both the ALockout.dll and Appinit.reg files to theSystemroot\System32 folder .
   
2. Double-click the Appinit.reg file to run the script. When you do this, the ALockout.dll file is registered and can begin providing information.
   
3. Restart the computer to complete the installation.
   

How to Remove the ALockout Tool

To remove the ALockout.dll file from the computer

1. At a command prompt, type regsvr32 /u alockout.dll.
   
2. Delete the Alockout.dll value that is under the following registry key:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
   
   Windows AppInit_DLLs
   
   After you delete the Alockout.dll value, the AppInit_DLLs registry key is blank.
   
3. Restart the computer.
   
4. Delete the ALockout.dll file from the Systemroot/System32 folder.
   

How to Use the ALockout.dll Tool

You should use the ALockout.dll tool with Netlogon logging and security auditing. To use the ALockout.dll tool:

1. Wait for an account to lock out on the computer.
   
2. When an account is locked out, the ALockout.txt file is created in the Systemroot\Debug folder.
   
3. Compare event time stamps in ALockout.txt with the time stamps in both the Netlogon log files and the Security event log files. When you do this, you can determine the process that is causing the lockouts.
   

You can use the ALockout.dll tool if you have already set up Netlogon logging, as well as Kerberos and logon auditing on the local computer. ALockout.dll does not interfere with any other logging or event generation.

The ALoInfo.exe Tool

If account lockouts seem to happen most frequently after a user is forced to change their password, you may want to determine which users' passwords are about to expire. You can use the ALoInfo.exe tool to display all user account names and the password age for those user accounts. This will allow you to use the ALockout.dll tool and other account lockout tools to set up the tools prior to the initial account lockout. You can also obtain a list of all local services and startup account information by using the ALoInfo.exe tool.

Note
You can also use the SecDump tool to display password expiration information in a Windows NT Server 4.0 domain. You can download this tool from theSystemTools Web site. Note that Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.

Where to Obtain the ALoInfo.exe Tool

The ALoInfo.exe file is included with the ALTools.exe package that is available at "Account Lockout and Management Tools" on the Microsoft Web site.

How to Install the ALoInfo.exe Tool

To install the ALoInfo.exe tool, install the ALTools package on your domain controller. The ALTools package contains the ALoInfo.exe tool.

How to Use the ALoInfo.exe Tool

You can use ALoInfo.exe at a command prompt with either of the following methods:

• To display an accounts password ages from a domain controller, at a command prompt, type the following:
  
  
  aloinfo /expires /server:Domain_Controller_Name
  

• To display all local service startup account information and mapped drive information for a user who is currently logged on, at a command prompt, type the following command:
  
  
  aloinfo /stored /server:Computer_Name
  

You can redirect the output of ALoInfo.exe to a text file and then sort the results to determine which users may be involved in the account lockout. This information can also be stored for later analysis.

The AcctInfo.dll Tool

You can use the AcctInfo.dll tool to add new property pages to user objects in the Active Directory Users and Computers MMC Snap-in. You can use these property pages to help isolate and troubleshoot account lockouts and to reset a users password on a domain controller in that user's local site.

AcctInfo.dll displays the following user account information that you may be able to use to identify and resolve account lockout issues:

• Last time the password was set
  
• When the password will expire
  
• User Account Control Raw Value and Decode
  
• Time the account was locked out
  
• If the account is locked out now, when it will be unlocked
  
• Security identifier (SID) of the account, and its SIDHistory
  
• Globally unique identifier (GUID) of the account
  
• These account properties:
  
  
  • Last Logon
    
  • Last Logoff
    
  • Last Bad Logon Time
    
  • Logon Count
    
  • Bad Password Count
    

You can also use the AcctInfo.dll tool to obtain the domain password information (expiration, lockout time, and so on). You can type the user's computer name in the tool, and then reset the user's password on a domain controller in that user's site.

Note
Because of replication latency, domain controllers may store different information about the same user account. AcctInfo.dll displays information that is retrieved from a single domain controller.

Where to Obtain the AcctInfo.dll Tool

The AcctInfo.dll tool is included in the ALTools.exe package that is available at "Account Lockout and Management Tools" on the Microsoft Web site.

How to Install the AcctInfo.dll Tool

On the computer where you want to run Active Directory Users and Computers MMC Snap-in:

1. Copy the AcctInfo.dll file to the System32 folder.
   
2. At a command prompt, type regsvr32 acctinfo.dll, and then press ENTER.
   

The AcctInfo.dll file is registered and is displayed on a user's property sheet in the Active Directory Users and Computers MMC Snap-in after you follow these steps.

To use the Account Lockout Status button in the tool, verify that LockoutStatus.exe is in the Systemroot\System32 folder. If LockoutStatus.exe is not installed in this location, this button is unavailable.

How to Use the AcctInfo.dll Tool

To use the AcctInfo.dll tool, open the Active Directory Users and Computers MMC, right-click a user, click Properties, and then click Additional Account Info. An example of the information that is provided by AcctInfo.dll is shown in the following figure.

Figure 3: Main Property Box

The following figure displays the domain password policy information that you can view to determine the password policy that applies to the domain controller.

Figure 4: Domain Password Policy

Change Password on a Domain Controller in the User's Site

The AcctInfo.dll tool allows you to increase the functionality of the Active Directory Users and Computers MMC by adding the ability to reset a user's password in that user's local site. When you reset the password in the remote site, you avoid replication delays that can occur before that user logs on.

When you reset the password, you can also unlock the account and set the User must change password value. These options are in the Change Password On a DC In The Users Site box as displayed in the following figure.

Figure 5: Change Password On a DC In The Users Site

How to Remove the AcctInfo.dll Tool

To remove the AcctInfo.dll tool, delete the AcctInfo.dll file from the Systemroot/System32 folder, and then type the following command at a command prompt:

regsvr32 /u acctinfo.dll

The EventCombMT.exe Tool

You can use the EventCombMT.exe tool to gather specific events from event logs from several different computers into one central location. You can configure EventCombMT.exe to search for events and computers. Some specific search categories are built into the tool, such as account lockouts. Note that the account lockouts category is preconfigured to include events 529, 644, 675, 676, and 681.

Figure 6: The EventCombMT.exe Tool

Where to Obtain the EventCombMT.exe Tool

The EventCombMT.exe tool is included in the ALTools.exe package that is available at "Account Lockout and Management Tools" on the Microsoft Web site.

How to Install the EventCombMT.exe Tool

You do not need to install this tool separately. When you install ALTools on the domain controller, EventCombMT.exe is also installed to the directory you specified during setup.

How to Use the EventCombMT.exe Tool

To use the EventCombMT.exe tool, open the folder you specified during setup for ALTools, double-click EventCombMT.exe, click the Searches menu, click Built in searches, and then click Account lockouts. When you do this, the events that will be pulled from the event logs are automatically displayed in the tool. These events are from all of the domain controllers in your environment. In addition to 529, 644, 675, and 681, type 12294 in the Event Ids box, and then click Search. The tool then searches the computers for these events, and then saves them to a .txt file that you specify.

The NLParse.exe Tool

Because Netlogon log files may become more than 10 MB in size, you may want to parse the files for the information that you want to view. You can use the NLParse.exe tool to parse Netlogon log files for specific Netlogon return status codes. The output from this tool is saved to a comma-separated values (.csv) file that you can open in Excel to sort further.

Note
The return codes that are specific to account lockouts are 0xC000006A and 0xC0000234.

The following figure displays the interface for the NLParse.exe tool.

Figure 7: Netlogon-Parse Return Status Codes

Where to Obtain the NLParse.exe Tool

The NLParse.exe tool is included in the ALTools.exe package that is available at "Account Lockout and Management Tools" on the Microsoft Web site.

How to Install the NLParse.exe Tool

You do not need to install this tool separately; when you install ALTools on the domain controller, NLParse.exe is also installed.

How to Use the NLParse.exe Tool

To use the NLParse.exe tool, open the folder you specified during setup for ALTools, double-click Nlparse.exe, click Open to open the Netlogon.log file that you want to parse, select the check boxes for the status codes that you want to search for, and then click Extract. After you do this, view the output from the NLParse.exe tool. Typically, you may want to look at both the 0xC000006A and 0xC0000234 code statuses to determine from where the lockouts are coming.

The FindStr.exe Tool

You can also use the FindStr.exe tool to parse Netlogon log files. FindStr.exe is a command-line tool that you can use to parse several Netlogon.log files at the same time. After you gather the Netlogon.log files from several domain controllers, extract information about a specific user account from the files (user1, error code 0xC000006A, or error code0xC0000234). You can use this tool to help you obtain output about a user, computer, or error code in the Netlogon.log files.

Where to Obtain the FindStr.exe Tool

The FindStr.exe tool is included in the default installation of Windows 2000, Windows XP, and the Windows Server 2003 family operating systems. No additional installation or configuration is required for the FindStr.exe tool.

How to Use the FindStr.exe Tool

To use the FindStr.exe tool, rename the Netlogon.log files, and then save the files to one folder. To parse all of the Netlogon log files, type the following command at a command prompt:

FindStr /I User1 *netlogon* .log >c:\ user1 .txt

The Replmon and Repadmin Tools

If you have not already verified Active Directory replication on a domain controller, at a command prompt, type repadmin /showreps or replmon to verify that proper Active Directory replication is occurring. In many scenarios, you may find that you unlock an account but the new credentials do not work. This behavior typically occurs because of replication latency. Change the users password in their local site to avoid replication latency issues.

Where to Obtain the Relmon and Repadmin Tools

Both of these tools are included with the support tools on the Windows 2000 CD-ROM.

How to Install and Configure the Replmon and Repadmin Tools

For more information about how to obtain and installing Replmon and Repadmin, see the Windows Support Tools documentation.

Network Monitor

Network Monitor is a powerful tool that you can use to capture unfiltered network communication.

If the account lockout occurs because of a process or program and an account is already locked out on a specific client computer, gather network traces of all traffic to and from that client computer while the account is still locked out. The program or process most likely will continue to send incorrect credentials while trying to gain access to resources that are on the network. Capturing all traffic to and from the client may help you determine which network resource the process is trying to gain access to. After you determine the network resource, you can determine which program or process is running on that client computer.

If you can narrow your search to a specific computer but the user account is not yet locked out, keep running Network Monitor until the lockout occurs for that user. After the lockout occurs, compare the time stamps of events when the in the Netlogon or Security event logs with the data that was captured in the trace. You should see that the network resource that is being accessed with incorrect credentials.

After you identify a program or service as the cause of the lockout, view the software manufacturers Web site for known resolutions. This behavior typically occurs because the program is running with the currently logged on user's credentials. If a service is causing the lockout, consider creating accounts that are specifically for running services so user account password changes do not affect the services.

Where to Obtain Network Monitor

The full version of Network Monitor is included with Microsoft System Management Server (SMS). A limited version of the tool is included with Windows XP and the Windows 2000 and Windows Server 2003 families.

How to Install Network Monitor on Supported Operating Systems

This section describes how to install Network Monitor on both the Windows 2000 Server family and Windows XP.

Windows 2000 Server

To install Network Monitor on computers that are running Windows 2000 Server

1. Right-click My Network Places, and then click Advanced.
   
2. Click Optional networking components, and then click Management and Monitoring.
   

For more information, see "HOW TO: Install Network Monitor in Windows 2000" in the Microsoft Knowledge Base.

Windows XP

Network Monitor is included with the Windows support tools. For more information about how to install and configure Network Monitor on computers that are running Windows XP, view the following articles:

• "How to Install the Support Tools from the Windows XP CD-ROM" on the Microsoft Knowledge Base.
  
• Description of the Network Monitor Capture Utility on the Microsoft Knowledge Base.
  

How to Use Network Monitor

For information about how to use Network Monitor to capture information, view the documentation that is provided with the tool or read "How to Capture Network Traffic with Network Monitor" on the Microsoft Knowledge Base.