MS VPN connection; Account locked



  • Working it a few people over the last several months, they have an issues that when they try to reconnect to the mapped drives (across the VPN) they will get an error message that their account is locked out.

    Checking ADUC though, their account is not shown as being locked out.

    Since we have 'issues', there is a MapDriveScript.bat on their desktop. When it is run, it first checks to see if there is a valid connection to the server (thanks @Mike-Davis ) and if found steps to mapping / reconnecting the drives. On many cases though, they are required to re-enter their AD UserID & password (next probable update to the script, grab the Username so they only need to enter password).

    Is there any way to reduce or eliminate the issue with their account locking or false locking out? They are using MS Surface devices mainly - with some laptops, but it doesn't seem to matter which it is.


  • Service Provider

    This isn't very normal AFAIK, so I think getting to the bottom of the account problem is the place to start.



  • @scottalanmiller I agree.

    @gjacobse What type of vpn connection? Domain functional level? Does this only happen with people using wifi to connect to vpn? Are these workstations domain members?
    Is there possibly replication issues, so that Account lockouts aren't being replicated to the dc youre checking in a timely manner?
    Are there any errors on the file server or dc or workstation about bad username/pw?



  • @momurda said in MS VPN connection; Account locked:

    @scottalanmiller I agree.

    @gjacobse What type of vpn connection? Domain functional level? Does this only happen with people using wifi to connect to vpn? Are these workstations domain members?
    Is there possibly replication issues, so that Account lockouts aren't being replicated to the dc youre checking in a timely manner?
    Are there any errors on the file server or dc or workstation about bad username/pw?

    Generally we get them sign on while on the Domain network. After such the sign into the computer, then connect to the VPN with Static Creds.

    AD applies to the computer then. These computers are Domain Joined, but at remote , random locations.


  • Service Provider

    @gjacobse said in MS VPN connection; Account locked:

    @momurda said in MS VPN connection; Account locked:

    @scottalanmiller I agree.

    @gjacobse What type of vpn connection? Domain functional level? Does this only happen with people using wifi to connect to vpn? Are these workstations domain members?
    Is there possibly replication issues, so that Account lockouts aren't being replicated to the dc youre checking in a timely manner?
    Are there any errors on the file server or dc or workstation about bad username/pw?

    Generally we get them sign on while on the Domain network. After such the sign into the computer, then connect to the VPN with Static Creds.

    AD applies to the computer then. These computers are Domain Joined, but at remote , random locations.

    I'm not following. How do they sign on to the domain if the VPN isn't up?



  • @scottalanmiller said in MS VPN connection; Account locked:

    @gjacobse said in MS VPN connection; Account locked:

    @momurda said in MS VPN connection; Account locked:

    @scottalanmiller I agree.

    @gjacobse What type of vpn connection? Domain functional level? Does this only happen with people using wifi to connect to vpn? Are these workstations domain members?
    Is there possibly replication issues, so that Account lockouts aren't being replicated to the dc youre checking in a timely manner?
    Are there any errors on the file server or dc or workstation about bad username/pw?

    Generally we get them sign on while on the Domain network. After such the sign into the computer, then connect to the VPN with Static Creds.

    AD applies to the computer then. These computers are Domain Joined, but at remote , random locations.

    I'm not following. How do they sign on to the domain if the VPN isn't up?

    Windows Cached Credentials.


  • Service Provider

    @gjacobse said in MS VPN connection; Account locked:

    @scottalanmiller said in MS VPN connection; Account locked:

    @gjacobse said in MS VPN connection; Account locked:

    @momurda said in MS VPN connection; Account locked:

    @scottalanmiller I agree.

    @gjacobse What type of vpn connection? Domain functional level? Does this only happen with people using wifi to connect to vpn? Are these workstations domain members?
    Is there possibly replication issues, so that Account lockouts aren't being replicated to the dc youre checking in a timely manner?
    Are there any errors on the file server or dc or workstation about bad username/pw?

    Generally we get them sign on while on the Domain network. After such the sign into the computer, then connect to the VPN with Static Creds.

    AD applies to the computer then. These computers are Domain Joined, but at remote , random locations.

    I'm not following. How do they sign on to the domain if the VPN isn't up?

    Windows Cached Credentials.

    That's not signing into the domain. That's signing onto the laptop. There is a big difference.


  • Service Provider

    To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.



  • @gjacobse said in MS VPN connection; Account locked:

    @scottalanmiller said in MS VPN connection; Account locked:

    @gjacobse said in MS VPN connection; Account locked:

    @momurda said in MS VPN connection; Account locked:

    @scottalanmiller I agree.

    @gjacobse What type of vpn connection? Domain functional level? Does this only happen with people using wifi to connect to vpn? Are these workstations domain members?
    Is there possibly replication issues, so that Account lockouts aren't being replicated to the dc youre checking in a timely manner?
    Are there any errors on the file server or dc or workstation about bad username/pw?

    Generally we get them sign on while on the Domain network. After such the sign into the computer, then connect to the VPN with Static Creds.

    AD applies to the computer then. These computers are Domain Joined, but at remote , random locations.

    I'm not following. How do they sign on to the domain if the VPN isn't up?

    Windows Cached Credentials.

    I would think the problem lies here with old cached creds.
    Control Panel >user Accounts> View your credentials

    There are probably old/expired creds here for connecting to the file server.
    The script youre using to get by this gets info from the server and works because the info (username/pw the user needs to reenter to get mapped drives) is current.


  • Service Provider

    @scottalanmiller said in MS VPN connection; Account locked:

    To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

    Correct. this is the problem. always.


  • Service Provider

    @JaredBusch said in MS VPN connection; Account locked:

    @scottalanmiller said in MS VPN connection; Account locked:

    To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

    Correct. this is the problem. always.

    How does that work when they are on a wifi connection that doesn't connect until after they log in to their laptop?



  • @scottalanmiller said in MS VPN connection; Account locked:

    To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

    Following up

    how do you do that if the location you are at (hotel) requires pre-auth prior to accessing the internet? That Captive Portal page will kill that.


  • Service Provider

    @Mike-Davis said in MS VPN connection; Account locked:

    @JaredBusch said in MS VPN connection; Account locked:

    @scottalanmiller said in MS VPN connection; Account locked:

    To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

    Correct. this is the problem. always.

    How does that work when they are on a wifi connection that doesn't connect until after they log in to their laptop?

    It doesn't. That is generally a large problem.


  • Service Provider

    @gjacobse said in MS VPN connection; Account locked:

    @scottalanmiller said in MS VPN connection; Account locked:

    To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

    Following up

    how do you do that if the location you are at (hotel) requires pre-auth prior to accessing the internet? That Captive Portal page will kill that.

    Yes, and that kills all sorts of things. When doing this, you can generally just reboot again and the hotel wifi still has you authorized.

    If it doens't you are relying on pure luck that all the right kerberos pieces are still valid.



  • @Mike-Davis said in MS VPN connection; Account locked:

    @JaredBusch said in MS VPN connection; Account locked:

    @scottalanmiller said in MS VPN connection; Account locked:

    To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

    Correct. this is the problem. always.

    How does that work when they are on a wifi connection that doesn't connect until after they log in to their laptop?

    You said these are surfaces devices, and that makes me presume that they're Windows 10. If you STOP and LOOK at your login screen, you'll see that you can connect to wifi before logging in.

    I looked over the thread seeking information on the VPN and didn't see what kind of vpn you're using. Is it MS? Cisco? OpenVPN? Do these VPN tools that you're using allow you to connect at sign-in? If you're using MS VPN, did you consider using DirectAccess?



  • @Grey said in MS VPN connection; Account locked:

    @Mike-Davis said in MS VPN connection; Account locked:

    @JaredBusch said in MS VPN connection; Account locked:

    @scottalanmiller said in MS VPN connection; Account locked:

    To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

    Correct. this is the problem. always.

    How does that work when they are on a wifi connection that doesn't connect until after they log in to their laptop?

    You said these are surfaces devices, and that makes me presume that they're Windows 10. If you STOP and LOOK at your login screen, you'll see that you can connect to wifi before logging in.

    I looked over the thread seeking information on the VPN and didn't see what kind of vpn you're using. Is it MS? Cisco? OpenVPN? Do these VPN tools that you're using allow you to connect at sign-in? If you're using MS VPN, did you consider using DirectAccess?

    Title: MS VPN Connection ~
    Computer: Various: Surface / Laptops (dell)
    Hardware: - UBNT EdgeRouter



  • @Grey said in MS VPN connection; Account locked:

    @Mike-Davis said in MS VPN connection; Account locked:

    @JaredBusch said in MS VPN connection; Account locked:

    @scottalanmiller said in MS VPN connection; Account locked:

    To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

    Correct. this is the problem. always.

    How does that work when they are on a wifi connection that doesn't connect until after they log in to their laptop?

    You said these are surfaces devices, and that makes me presume that they're Windows 10. If you STOP and LOOK at your login screen, you'll see that you can connect to wifi before logging in.

    I looked over the thread seeking information on the VPN and didn't see what kind of vpn you're using. Is it MS? Cisco? OpenVPN? Do these VPN tools that you're using allow you to connect at sign-in? If you're using MS VPN, did you consider using DirectAccess?

    DirectAccess is really nice... but if you're not deploying Win10 Enterprise then you can't use it on your clients.


  • Service Provider

    @Mike-Davis said in MS VPN connection; Account locked:

    @JaredBusch said in MS VPN connection; Account locked:

    @scottalanmiller said in MS VPN connection; Account locked:

    To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

    Correct. this is the problem. always.

    How does that work when they are on a wifi connection that doesn't connect until after they log in to their laptop?

    You have cached creds for that. Log in, connect, reboot.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.