I have a user in a child domain that continues to have his account locked out from our 2007 Hub Transport/Client Access Server. All other servers in our domain are 2003 Exchange. We are a part of the parent domain. I noticed in the log on our Exchange server that his account is getting locked out in a Logon Type 8, Logon/Logoff type event. I read that Logon Type 8 corresponds to Clear Type passwords. On our Exchange 2007 server I have an Intra-Org Receive connector with the IP's of all of the child domain 2003 servers configured. Under Authentication type, Anonymous Access is NOT checked. Could this be the issue? It was my understanding that between Exchange servers no clear text is used, so I've left it disabled for security purposes. I'm a little hesitant to change our whole configuration for one user. Is this right? Or should my Intra-Org connector allow for Anonymous logon's as well? Would that fix my issue at hand? Also, I do have all of the Interop RGC's config'd and everything. We've been running in this configuration for over a year now with very little issues.

What mail client and protocol is being used? Sure the lockout isnt something connecting to the CAS role?

Using MS Outlook, standard MAPI protocol config. I'm not sure what is causing the lockout, he gets mail fine and everything. It happens a couple of times a week. This is my only user though that has this problem that I'm aware of.

I would use the accountlockout tools to help track it down http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

On Fri, 3 Sep 2010 15:16:15 +0000, Schwagro wrote: >Using MS Outlook, standard MAPI protocol config. I'm not sure what is causing the lockout, he gets mail fine and everything. It happens a couple of times a week. This is my only user though that has this problem that I'm aware of. Does that person have a mobile device that was using ActiveSync? Did he stop using it, but forget to remove the ActiveSync partnership from the device? If he does, then this problem is hard to get a handle on becasue the account lockout mechanism doesn't count failed password attempts if the password used is the users *last* password or the password *before* the last password. Current password <= this one is counted Last password <= this one is NOT counted Last+1 password <= this one is NOT counted Last+2 password <= this one IS counted Last+2+n passwords <= these ARE counted So, let's say he changes his password every month and he stopped using (or just forgot to change) the password on his ActiveSync device. His account wouldn't lock out for three months -- and once he change his password again the failed ActiveSync login tries WILL lock his account because they use the "last+2" password. If the device is set to sync only every so often the account may even be unlocked -- depending on your password policy. This drove me nutz trying to get a handle on account lockouts that were happening on machines that were scanned for virus/worms and found to be uninfected. Of course the helpdesk was just unlocking the accounts and we never got a chance to question the individuals until the problem really came to a head when Apple released the iPhone. The iPhone doesn't stop trying to log in after failing X number of times -- it just keeps hammering away, locking the account over and over again. Grrrr... --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Fri, 3 Sep 2010 15:16:15 +0000, Schwagro wrote: >Using MS Outlook, standard MAPI protocol config. I'm not sure what is causing the lockout, he gets mail fine and everything. It happens a couple of times a week. This is my only user though that has this problem that I'm aware of. Does that person have a mobile device that was using ActiveSync? Did he stop using it, but forget to remove the ActiveSync partnership from the device? If he does, then this problem is hard to get a handle on becasue the account lockout mechanism doesn't count failed password attempts if the password used is the users *last* password or the password *before* the last password. Current password <= this one is counted Last password <= this one is NOT counted Last+1 password <= this one is NOT counted Last+2 password <= this one IS counted Last+2+n passwords <= these ARE counted So, let's say he changes his password every month and he stopped using (or just forgot to change) the password on his ActiveSync device. His account wouldn't lock out for three months -- and once he change his password again the failed ActiveSync login tries WILL lock his account because they use the "last+2" password. If the device is set to sync only every so often the account may even be unlocked -- depending on your password policy. This drove me nutz trying to get a handle on account lockouts that were happening on machines that were scanned for virus/worms and found to be uninfected. Of course the helpdesk was just unlocking the accounts and we never got a chance to question the individuals until the problem really came to a head when Apple released the iPhone. The iPhone doesn't stop trying to log in after failing X number of times -- it just keeps hammering away, locking the account over and over again. Grrrr... --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP I suggest alcohol!