Administrator Account Locked Out

I am running Win XP Pro SP2.

I have 2 user accounts, one named "Bob" (administrator), and one (limited
user)

Periodically, when logging on my account, I enter my password and get a
message that my account has been locked out- please contact your
administrator. I may or may not be able to sign on using the limited account-
occasionally it is also locked out.

Rebooting (restart or power-on), the Welcome Screen shows "Administrator" in
place of "Bob", and the limited user account is either intact, or missing
(inconsistent symptom).
The "Administrator" account accepts the "Bob" account password, then Windows
begins to load "personalized settings" that do not match the "Bob" account
settings, i.e., desktop wallpaper, shortcuts, My Documents, My Pictures, etc.
Windows also treats this account as a new user, offering a tour of XP, etc.
However, all IE6 favorites, history, cookies, and OE6 address book entries,
as well as email settings and folders, match the "Bob" account. It's as if
Windows doesn't know me upon logon, but recognizes me afterwards.

The only way I have found to recover is to do a system restore. This is
usually successful, but at times I get a message that says "...cannot restore
to selected restore point, no changes have been made." Ironically, if I
reboot again, the "Bob" account may appear again.

Now, my suspicions. If this info muddies the water, please disregard.

I am not positive, but I believe this began after downloading and installing
IE7 a few weeks ago. I did not like the IE7 interface, so I attempted to
uninstall it. I was concerned that uninstalling IE7 would leave me without a
browser instead of rolling me back to IE6. Therefore, I did a system restore
prior to IE7. A few days later, this problem surfaced, perhaps after I
rebooted.

I hope I conveyed this information clearly. Thanks in advance for your help.

Bob

FireBob57 wrote:

> I am running Win XP Pro SP2.
>
> I have 2 user accounts, one named "Bob" (administrator), and one (limited
> user)
>
> Periodically, when logging on my account, I enter my password and get a
> message that my account has been locked out- please contact your
> administrator. I may or may not be able to sign on using the limited account-
> occasionally it is also locked out.
>
> Rebooting (restart or power-on), the Welcome Screen shows "Administrator" in
> place of "Bob", and the limited user account is either intact, or missing
> (inconsistent symptom).
> The "Administrator" account accepts the "Bob" account password, then Windows
> begins to load "personalized settings" that do not match the "Bob" account
> settings, i.e., desktop wallpaper, shortcuts, My Documents, My Pictures, etc.
> Windows also treats this account as a new user, offering a tour of XP, etc.
> However, all IE6 favorites, history, cookies, and OE6 address book entries,
> as well as email settings and folders, match the "Bob" account. It's as if
> Windows doesn't know me upon logon, but recognizes me afterwards.
>
> The only way I have found to recover is to do a system restore. This is
> usually successful, but at times I get a message that says "...cannot restore
> to selected restore point, no changes have been made." Ironically, if I
> reboot again, the "Bob" account may appear again.
>
> Now, my suspicions. If this info muddies the water, please disregard.
>
> I am not positive, but I believe this began after downloading and installing
> IE7 a few weeks ago. I did not like the IE7 interface, so I attempted to
> uninstall it. I was concerned that uninstalling IE7 would leave me without a
> browser instead of rolling me back to IE6. Therefore, I did a system restore
> prior to IE7. A few days later, this problem surfaced, perhaps after I
> rebooted.
>
> I hope I conveyed this information clearly. Thanks in advance for your help.
>
> Bob

Looks like someone has been trying to hack into your host. After a
threshold of number of failed attempts, Windows will lockup the login to
force the hacker to wait (which they usually won't do). For local
accounts, you can see these settings by using the group policy editor
(gpedit.msc) and going to:

Computer Configuration
Windows Settings
Security Settings
Account Policies
Account Lockout Policy

Account Lockout Duration is how long loggin in is disabled once there is
a lockout. I have mine set for 15 minutes because I'm in a very small
network with few users and I'm only interested in thwarting outside
hacking attempts (if they manage to get past the router's firewall).
Account Lockout Threshold is how many sequential failed login attempts
will trigger a lockout. Reset Account Lockout Counter After is how long
to reset the counter so it starts counting at 1 for the next failed
attempt. Mine is set for 5 minutes; for example, maybe your first 2
logins failed but you wait 5 minutes, or more, so just in case your 3rd
attempt fails it will be the first one in the count threshold.

http://support.microsoft.com/kb/297157/en-us (old)
http://support.microsoft.com/search/...lockout+policy

You might want to enable auditing for failed logins. I'm not familiar
with the event that gets recorded and seen in Events Viewer so I don't
know if the audit event provides sufficient information to determine who
is trying to hack into your box. This might be something you bring up
with your IT folks to have them sniff their network regarding connection
attempts to your host.

If you have the policy configured to show the username in the login
screen of the last user that logged in and it is now different, someone
tried to use that other account to get into your box. Do you have
Remote Desktop, TeamViewer, some flavor of VNC, or other remote access
program enabled on your host to let someone have remote access to your
box who is trying to repeatedly login until they lock it up?

Vanguard,

Thanks for replying to this post.

First, my PC is a home/ personal computer. Two users are assigned IDs. The
only other access would be from the web- someone trying to hack me. I am
using Trend Micro Internet Security 2008 (have used Trend for ten years), and
this problem surfaced while using the 2007 version. I use Trend's firewall
and per their suggestion, Windows firewall is disabled due to potential
conflicts. I do regular updates and scans, and nothing is detected except
Spyware cookies, but I have to wonder if Trend is failing to detect a worm,
Trojan Horse, or virus.

The following are my current logon security parameters:

Account lockout duration 30 minutes
Account lockout threshold 3 invalid logon attempts
Reset account lockout counter after 30 minutes

So, to clarify your reply- Are you saying that this problem can be caused by
an "outsider" trying to hack my PC from the web?
If yes, does the fact that I get locked out of my account indicate that the
hacker failed to gain access to my hard drive?

Looking at Trend's firewall logs, there are a considerable number of entries
logged during every internet session, but I have never seen a warning appear
while surfing that my firewall was breached (not sure I would even receive a
warning).

Finally, the next time this problem arises, I will wait the prescribed time
to allow the security timers to reset and see if that is what is actually
occurring.


"VanguardLH" wrote:

> FireBob57 wrote:
>
> > I am running Win XP Pro SP2.
> >
> > I have 2 user accounts, one named "Bob" (administrator), and one (limited
> > user)
> >
> > Periodically, when logging on my account, I enter my password and get a
> > message that my account has been locked out- please contact your
> > administrator. I may or may not be able to sign on using the limited account-
> > occasionally it is also locked out.
> >
> > Rebooting (restart or power-on), the Welcome Screen shows "Administrator" in
> > place of "Bob", and the limited user account is either intact, or missing
> > (inconsistent symptom).
> > The "Administrator" account accepts the "Bob" account password, then Windows
> > begins to load "personalized settings" that do not match the "Bob" account
> > settings, i.e., desktop wallpaper, shortcuts, My Documents, My Pictures, etc.
> > Windows also treats this account as a new user, offering a tour of XP, etc.
> > However, all IE6 favorites, history, cookies, and OE6 address book entries,
> > as well as email settings and folders, match the "Bob" account. It's as if
> > Windows doesn't know me upon logon, but recognizes me afterwards.
> >
> > The only way I have found to recover is to do a system restore. This is
> > usually successful, but at times I get a message that says "...cannot restore
> > to selected restore point, no changes have been made." Ironically, if I
> > reboot again, the "Bob" account may appear again.
> >
> > Now, my suspicions. If this info muddies the water, please disregard.
> >
> > I am not positive, but I believe this began after downloading and installing
> > IE7 a few weeks ago. I did not like the IE7 interface, so I attempted to
> > uninstall it. I was concerned that uninstalling IE7 would leave me without a
> > browser instead of rolling me back to IE6. Therefore, I did a system restore
> > prior to IE7. A few days later, this problem surfaced, perhaps after I
> > rebooted.
> >
> > I hope I conveyed this information clearly. Thanks in advance for your help.
> >
> > Bob
>
> Looks like someone has been trying to hack into your host. After a
> threshold of number of failed attempts, Windows will lockup the login to
> force the hacker to wait (which they usually won't do). For local
> accounts, you can see these settings by using the group policy editor
> (gpedit.msc) and going to:
>
> Computer Configuration
> Windows Settings
> Security Settings
> Account Policies
> Account Lockout Policy
>
> Account Lockout Duration is how long loggin in is disabled once there is
> a lockout. I have mine set for 15 minutes because I'm in a very small
> network with few users and I'm only interested in thwarting outside
> hacking attempts (if they manage to get past the router's firewall).
> Account Lockout Threshold is how many sequential failed login attempts
> will trigger a lockout. Reset Account Lockout Counter After is how long
> to reset the counter so it starts counting at 1 for the next failed
> attempt. Mine is set for 5 minutes; for example, maybe your first 2
> logins failed but you wait 5 minutes, or more, so just in case your 3rd
> attempt fails it will be the first one in the count threshold.
>
> http://support.microsoft.com/kb/297157/en-us (old)
> http://support.microsoft.com/search/...lockout+policy
>
> You might want to enable auditing for failed logins. I'm not familiar
> with the event that gets recorded and seen in Events Viewer so I don't
> know if the audit event provides sufficient information to determine who
> is trying to hack into your box. This might be something you bring up
> with your IT folks to have them sniff their network regarding connection
> attempts to your host.
>
> If you have the policy configured to show the username in the login
> screen of the last user that logged in and it is now different, someone
> tried to use that other account to get into your box. Do you have
> Remote Desktop, TeamViewer, some flavor of VNC, or other remote access
> program enabled on your host to let someone have remote access to your
> box who is trying to repeatedly login until they lock it up?
>

I created another account for myself and set it up as a limited user so I
wouldn't always be signed on as administrator. Yesterday I was doing
maintenance, logging on and off between those two accounts. I was not
connected to the web at the time. After a few iterations of this, suddenly
all accounts were locked out. I am guessing the lockout reset worked although
I didn't wait for it to reset. My wife was able to logon after she got home,
without rebooting as we have done in the past.

It appears something internal to this PC is causing this problem, and I am
suspicious of a Windows Update that was done around the time this problem
arose.

"FireBob57" wrote:

> Remote Desktop has always been disabled, I disabled Remote assistance a
> couple days ago.
>
> "VanguardLH" wrote:
>
> > FireBob57 wrote:
> >
> > > Another piece of information:
> > >
> > > There are actually other accounts assisgned.
> > > Guest- built in for guest users (disabled it yesterday)
> > > Help Assistant- for remote desktop assistant (disabled it yesterday)
> > > Support- Microsoft- vendor's account for help and support (disabled it
> > > yesterday)
> > > Support- Dell- vendor's account for help and support (disabled it yesterday)
> > > I assume the two Support Accounts were created when I bought this PC. I am
> > > pretty sure the Remote Support Account was created when I assisted a friend
> > > using this function years ago. Who knows, but without your help I would have
> > > never known they were there!
> >
> > Right-click on the My Computer desktop icon, Remote tab, and disable
> > both Remote Assistance and Remote Desktop.
> >

FireBob57 wrote:

> I created another account for myself and set it up as a limited user so I
> wouldn't always be signed on as administrator. Yesterday I was doing
> maintenance, logging on and off between those two accounts. I was not
> connected to the web at the time. After a few iterations of this, suddenly
> all accounts were locked out. I am guessing the lockout reset worked although
> I didn't wait for it to reset. My wife was able to logon after she got home,
> without rebooting as we have done in the past.
>
> It appears something internal to this PC is causing this problem, and I am
> suspicious of a Windows Update that was done around the time this problem
> arose.

Login lockout occurs only if there were *failed* login attempts.

Have you tried rebooting into safe mode and logging in and out between
accounts to see if the lockout happens? Don't use the "Bob" account
during this testing. Create 2 admin-level accounts and 2 restricted
accounts. Then try the switching between the 2 admin-level account by
logging off and on between them. Do the same with the 2 restricted
accounts. Then try logging off and on between an admin-level and
restricted account. I suspect you won't see the problem until you throw
the "Bob" account back into the mix.

It sounds like you are using fast user switching. That means multiple
accounts could be logged on at the same time (and eating up resources
for each at the same time). I never use fast user switching. It is one
of the first "features" that I disable after installing Windows XP.
That reverts me back to 1 active login at a time and instead of the
Fisher-Price Welcome Screen, I get the standard Windows Login dialog. I
don't go picking an account from a cutsy graphics screen but instead
enter my account name and password in the good old login prompt.
Control Panel -> User Accounts -> Change the way users log on and off,
deselect "Use the Welcome Screen". That also disables fast user
switching. Now test using the Administrator, Bob, and other accounts
where you use the standard login dialog to switch between accounts.

If reverting to single logins and using the standard (classic) login
dialog gets rid of the problem then the problem is not with corrupted
account profiles but instead with that fluff Welcome Screen.

To show or hide an account on the Welcome Screen:

- Run regedit.exe to edit the registry.
- Go to the following key in the leftside tree list:
HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
CurrentVersion
Winlogon
SpecialAccounts
UserList
- Right-click in the rightside pane (data items and their values) or use
the "Edit -> New -> DWORD value" menu to create a new DWORD item.
- Name the new item the same name as an account. For example, to add
the Administrator account, name the new data item as "Administrator" (no
quotes). The data item's name must match the name of an account.
- Set the value for the data item as follows:
0 = do not show in Welcome Screen
1 = show in Welcome screen
- Exit the registry edit.

When a new admin-level account is defined, the Administrator account
will get hidden on the Welcome Screen. Normally you would have to hit
Ctrl+Alt+Del twice in Windows XP Professional at the Welcome Screen or
reboot into Safe Mode for Windows XP Home Edition to see the
Administrator account login. Using this trick, you can re-add the
Administrator account to the Welcome Screen.

You're saying that sometimes Administrator shows up in place of Bob.
Well, if Administrator is no longer hidden by default (because Bob,
maybe, is an admin-level account) then both Administrator and Bob should
show up on the Welcome Screen.

That is some really good information, and it answers at least one mystery.
When the lockouts occur, my account is not "changing" to "Administrator",
mine is disappearing causing the hidden Administrator account to appear. When
my son had a limited account, my wife's account would disappear too, but his
would stay.

I will disable fast user switching, especially since there is an issue with
that as well. If two accounts are active at once, when the second account
logs off, the display resolution reverts to 640 X 480, and the screen looks
like a color reverse image. I have to reboot to resolve this.

I will try the safe mode recommendations you suggested and let you know.
Thanks for all the help and for hanging with me!

"VanguardLH" wrote:

> FireBob57 wrote:
>
> > I created another account for myself and set it up as a limited user so I
> > wouldn't always be signed on as administrator. Yesterday I was doing
> > maintenance, logging on and off between those two accounts. I was not
> > connected to the web at the time. After a few iterations of this, suddenly
> > all accounts were locked out. I am guessing the lockout reset worked although
> > I didn't wait for it to reset. My wife was able to logon after she got home,
> > without rebooting as we have done in the past.
> >
> > It appears something internal to this PC is causing this problem, and I am
> > suspicious of a Windows Update that was done around the time this problem
> > arose.
>
> Login lockout occurs only if there were *failed* login attempts.
>
> Have you tried rebooting into safe mode and logging in and out between
> accounts to see if the lockout happens? Don't use the "Bob" account
> during this testing. Create 2 admin-level accounts and 2 restricted
> accounts. Then try the switching between the 2 admin-level account by
> logging off and on between them. Do the same with the 2 restricted
> accounts. Then try logging off and on between an admin-level and
> restricted account. I suspect you won't see the problem until you throw
> the "Bob" account back into the mix.
>
> It sounds like you are using fast user switching. That means multiple
> accounts could be logged on at the same time (and eating up resources
> for each at the same time). I never use fast user switching. It is one
> of the first "features" that I disable after installing Windows XP.
> That reverts me back to 1 active login at a time and instead of the
> Fisher-Price Welcome Screen, I get the standard Windows Login dialog. I
> don't go picking an account from a cutsy graphics screen but instead
> enter my account name and password in the good old login prompt.
> Control Panel -> User Accounts -> Change the way users log on and off,
> deselect "Use the Welcome Screen". That also disables fast user
> switching. Now test using the Administrator, Bob, and other accounts
> where you use the standard login dialog to switch between accounts.
>
> If reverting to single logins and using the standard (classic) login
> dialog gets rid of the problem then the problem is not with corrupted
> account profiles but instead with that fluff Welcome Screen.
>
> To show or hide an account on the Welcome Screen:
>
> - Run regedit.exe to edit the registry.
> - Go to the following key in the leftside tree list:
> HKEY_LOCAL_MACHINE
> SOFTWARE
> Microsoft
> Windows NT
> CurrentVersion
> Winlogon
> SpecialAccounts
> UserList
> - Right-click in the rightside pane (data items and their values) or use
> the "Edit -> New -> DWORD value" menu to create a new DWORD item.
> - Name the new item the same name as an account. For example, to add
> the Administrator account, name the new data item as "Administrator" (no
> quotes). The data item's name must match the name of an account.
> - Set the value for the data item as follows:
> 0 = do not show in Welcome Screen
> 1 = show in Welcome screen
> - Exit the registry edit.
>
> When a new admin-level account is defined, the Administrator account
> will get hidden on the Welcome Screen. Normally you would have to hit
> Ctrl+Alt+Del twice in Windows XP Professional at the Welcome Screen or
> reboot into Safe Mode for Windows XP Home Edition to see the
> Administrator account login. Using this trick, you can re-add the
> Administrator account to the Welcome Screen.
>
> You're saying that sometimes Administrator shows up in place of Bob.
> Well, if Administrator is no longer hidden by default (because Bob,
> maybe, is an admin-level account) then both Administrator and Bob should
> show up on the Welcome Screen.
>

Vanguard,

I tried booting in Safe Mode, but I keep getting a "keyboard error" in the
boot process when pressing F8 that subsequently disables the keyboard. I
haven't investigated this problem much because I have been very busy the last
couple of weeks. I will pursue this as I can.
I just wanted to update you.

"FireBob57" wrote:

> That is some really good information, and it answers at least one mystery.
> When the lockouts occur, my account is not "changing" to "Administrator",
> mine is disappearing causing the hidden Administrator account to appear. When
> my son had a limited account, my wife's account would disappear too, but his
> would stay.
>
> I will disable fast user switching, especially since there is an issue with
> that as well. If two accounts are active at once, when the second account
> logs off, the display resolution reverts to 640 X 480, and the screen looks
> like a color reverse image. I have to reboot to resolve this.
>
> I will try the safe mode recommendations you suggested and let you know.
> Thanks for all the help and for hanging with me!
>
> "VanguardLH" wrote:
>
> > FireBob57 wrote:
> >
> > > I created another account for myself and set it up as a limited user so I
> > > wouldn't always be signed on as administrator. Yesterday I was doing
> > > maintenance, logging on and off between those two accounts. I was not
> > > connected to the web at the time. After a few iterations of this, suddenly
> > > all accounts were locked out. I am guessing the lockout reset worked although
> > > I didn't wait for it to reset. My wife was able to logon after she got home,
> > > without rebooting as we have done in the past.
> > >
> > > It appears something internal to this PC is causing this problem, and I am
> > > suspicious of a Windows Update that was done around the time this problem
> > > arose.
> >
> > Login lockout occurs only if there were *failed* login attempts.
> >
> > Have you tried rebooting into safe mode and logging in and out between
> > accounts to see if the lockout happens? Don't use the "Bob" account
> > during this testing. Create 2 admin-level accounts and 2 restricted
> > accounts. Then try the switching between the 2 admin-level account by
> > logging off and on between them. Do the same with the 2 restricted
> > accounts. Then try logging off and on between an admin-level and
> > restricted account. I suspect you won't see the problem until you throw
> > the "Bob" account back into the mix.
> >
> > It sounds like you are using fast user switching. That means multiple
> > accounts could be logged on at the same time (and eating up resources
> > for each at the same time). I never use fast user switching. It is one
> > of the first "features" that I disable after installing Windows XP.
> > That reverts me back to 1 active login at a time and instead of the
> > Fisher-Price Welcome Screen, I get the standard Windows Login dialog. I
> > don't go picking an account from a cutsy graphics screen but instead
> > enter my account name and password in the good old login prompt.
> > Control Panel -> User Accounts -> Change the way users log on and off,
> > deselect "Use the Welcome Screen". That also disables fast user
> > switching. Now test using the Administrator, Bob, and other accounts
> > where you use the standard login dialog to switch between accounts.
> >
> > If reverting to single logins and using the standard (classic) login
> > dialog gets rid of the problem then the problem is not with corrupted
> > account profiles but instead with that fluff Welcome Screen.
> >
> > To show or hide an account on the Welcome Screen:
> >
> > - Run regedit.exe to edit the registry.
> > - Go to the following key in the leftside tree list:
> > HKEY_LOCAL_MACHINE
> > SOFTWARE
> > Microsoft
> > Windows NT
> > CurrentVersion
> > Winlogon
> > SpecialAccounts
> > UserList
> > - Right-click in the rightside pane (data items and their values) or use
> > the "Edit -> New -> DWORD value" menu to create a new DWORD item.
> > - Name the new item the same name as an account. For example, to add
> > the Administrator account, name the new data item as "Administrator" (no
> > quotes). The data item's name must match the name of an account.
> > - Set the value for the data item as follows:
> > 0 = do not show in Welcome Screen
> > 1 = show in Welcome screen
> > - Exit the registry edit.
> >
> > When a new admin-level account is defined, the Administrator account
> > will get hidden on the Welcome Screen. Normally you would have to hit
> > Ctrl+Alt+Del twice in Windows XP Professional at the Welcome Screen or
> > reboot into Safe Mode for Windows XP Home Edition to see the
> > Administrator account login. Using this trick, you can re-add the
> > Administrator account to the Welcome Screen.
> >
> > You're saying that sometimes Administrator shows up in place of Bob.
> > Well, if Administrator is no longer hidden by default (because Bob,
> > maybe, is an admin-level account) then both Administrator and Bob should
> > show up on the Welcome Screen.
> >