microsoft.public.windowsxp.security_admin

FireBob57 wrote:

> I am running Win XP Pro SP2.
>
> I have 2 user accounts, one named "Bob" (administrator), and one (limited
> user)
>
> Periodically, when logging on my account, I enter my password and get a
> message that my account has been locked out- please contact your
> administrator. I may or may not be able to sign on using the limited account-
> occasionally it is also locked out.
>
> Rebooting (restart or power-on), the Welcome Screen shows "Administrator" in
> place of "Bob", and the limited user account is either intact, or missing
> (inconsistent symptom).
> The "Administrator" account accepts the "Bob" account password, then Windows
> begins to load "personalized settings" that do not match the "Bob" account
> settings, i.e., desktop wallpaper, shortcuts, My Documents, My Pictures, etc.
> Windows also treats this account as a new user, offering a tour of XP, etc.
> However, all IE6 favorites, history, cookies, and OE6 address book entries,
> as well as email settings and folders, match the "Bob" account. It's as if
> Windows doesn't know me upon logon, but recognizes me afterwards.
>
> The only way I have found to recover is to do a system restore. This is
> usually successful, but at times I get a message that says "...cannot restore
> to selected restore point, no changes have been made." Ironically, if I
> reboot again, the "Bob" account may appear again.
>
> Now, my suspicions. If this info muddies the water, please disregard.
>
> I am not positive, but I believe this began after downloading and installing
> IE7 a few weeks ago. I did not like the IE7 interface, so I attempted to
> uninstall it. I was concerned that uninstalling IE7 would leave me without a
> browser instead of rolling me back to IE6. Therefore, I did a system restore
> prior to IE7. A few days later, this problem surfaced, perhaps after I
> rebooted.
>
> I hope I conveyed this information clearly. Thanks in advance for your help.
>
> Bob

Looks like someone has been trying to hack into your host. After a
threshold of number of failed attempts, Windows will lockup the login to
force the hacker to wait (which they usually won't do). For local
accounts, you can see these settings by using the group policy editor
(gpedit.msc) and going to:

Computer Configuration
Windows Settings
Security Settings
Account Policies
Account Lockout Policy

Account Lockout Duration is how long loggin in is disabled once there is
a lockout. I have mine set for 15 minutes because I'm in a very small
network with few users and I'm only interested in thwarting outside
hacking attempts (if they manage to get past the router's firewall).
Account Lockout Threshold is how many sequential failed login attempts
will trigger a lockout. Reset Account Lockout Counter After is how long
to reset the counter so it starts counting at 1 for the next failed
attempt. Mine is set for 5 minutes; for example, maybe your first 2
logins failed but you wait 5 minutes, or more, so just in case your 3rd
attempt fails it will be the first one in the count threshold.

http://support.microsoft.com/kb/297157/en-us (old)
http://support.microsoft.com/search/default.aspx?&query=account+lockout+policy

You might want to enable auditing for failed logins. I'm not familiar
with the event that gets recorded and seen in Events Viewer so I don't
know if the audit event provides sufficient information to determine who
is trying to hack into your box. This might be something you bring up
with your IT folks to have them sniff their network regarding connection
attempts to your host.

If you have the policy configured to show the username in the login
screen of the last user that logged in and it is now different, someone
tried to use that other account to get into your box. Do you have
Remote Desktop, TeamViewer, some flavor of VNC, or other remote access
program enabled on your host to let someone have remote access to your
box who is trying to repeatedly login until they lock it up?