Windows Server 2003 user locked
Domain Controller, User access, Windows Server 2003, Windows Server 2003 Domain, Windows Server User Profiles
In our win server 2003 domain, one of user account has been locked when he was logging in and i have reset the password from domain controller but problem is still same.
so, please help me out.
Software/Hardware used:
Software/Hardware used:
ASKED:
August 8, 2011 8:51 AM
UPDATED:
March 31, 2012 7:12 PM
Answer Wiki:
Hello there,
This is a common issue.
In you AD there are more than one Global Catalog (GC). Each one of these servers are able to authenticate clients.
What is happening is that you unlocked the given account in one GC, but in fact, the client is authenticating against a second (or third) Global Catalog. Once the replication didn't occur yet, the rest of GC aren't aware of the account change...
In situations like this, you should reset or unlock the account in the server closest or in the same site as the client. (a client always authenticate against the closest GC available server). So, if you can, log in remotely to that server and unlock the account. This way, the unlock is immediate to the client.
If for any reason you can't login remotely or there is only one site (with two ore more GC's), you can always use any GC to unlock the account. Then, to be sure that the change is (almost) immediately available to the client, you should force AD replication to occur. (go to AD Sites and services and force replication)
Hope this helps.
To see all answers submitted to the Answer Wiki: View Answer History.
Resetting the password does not change the status of the account if the user is locked out. You will have to unlock the account. Go to AD and select the user. Go to Properties > Account. There should be a box stating “Unlock Account”. Check that and hit apply. That should fix the problem.
Just to complement my and Tchin contributes:
To make this “Problem” (account lock) auto-recoverable, you can create a GPO to automatically unlock user accounts after a specified amount of time.
Creta e a new or redefine an existent Group Policy, and the go to:
Computer Configuration
Windows Settings
Security Settings
Account Policies
Account Lockout Policy
Account Lockout Dutation
Define the Account Lockout Duration to best fit your needs, say 10 minutes.
In small to medium environments, I usually use this to prevent me the need to actually log-in remotely and just unlock a user account.
If a account gets locked and the user call the help-desk, we usually just tell her/him to wait a few minutes to be able to login again.
This way the account status is automatically reset after the amount of time defined in GPO.
Hope you find this useful.