Active Directory accounts being locked out

1725 pts.
Active Directory
Active Directory Account Lockout
Active Directory user accounts are getting locked without any invalid attempt. Users are logged into the PC but account is locked out.

Answer Wiki

Thanks. We'll let you know when a new response is added.

If you go into Active Directory and unlock the account does it stay unlocked or does it lock again? How many people is this affecting? Does it happen to everyone?

Discuss This Question: 6  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • ITKE
    It affecting all 55 people and it locks again after i unlock the account.
    1,149,730 pointsBadges:
  • Nberlanga
    Microsoft has a nice article on troubleshooting this Otherwise, it really tough to say, could be anything. How quickly are they locked again?
    35 pointsBadges:
  • Netwrix
    There are tons of different reasons why you could be experiencing Active Directory account lockouts—forgotten passwords, attempted Active Directory intrusions, mapped network drives, disconnected remote desktop sessions, and so on. The reasons for an Active Directory lockout can be very simple or very complex, but regardless, they do result in loss of productivity, frustrated users, an influx of help desk calls and a huge administrative burden. That is why for many organizations, it makes sense to take advantage of third-party account lockout solutions like the NetWrix Account Lockout Examiner. The NetWrix Account Lockout Examiner is inexpensive and pulls its weight in gold by saving money on lost productivity and IT administrative labor. It is a cost-effective solution that will not only notify IT operators of account lockouts via real-time notifications, but it will troubleshoot those account lockouts, giving administrators the answers they need to ensure that similar problems don’t reoccur in the future, and it will proactively resolve the issues by way of a web-based console or E-mail. The fast resolution allows users to quickly solve problems with minimal to zero IT assistance and return to a productive state. Stephen Schimmel, Product Manager, NetWrix Corporation
    20 pointsBadges:
  • Pjb0222
    Another item that can contibute to account lockout is an overly restrictive policy. Unfortunately there are now many things that make multiple attempts to authenticate before they go back to the user to re-enter the password. A common implemetation is an application tries three times before returning to the user with a could not authenticate and allowing the user to re-entering the password. I have seen this go as high as six authentication attempts in an application. Either of these situations cause an immediate lockout with only one user attempt with the default 3 try limit. So, setting to 10 attempts prior to lockout was a good compromise number taking into account that applications that require a separate authentication and authenticate against the AD now often make multiple authentication attempts in the background. Another item to watch out for are saved passwords. Even with a no saved password policy I see many applications brought in that save passwords anyway. So, application launches after a password change, tries to authenticate to AD in the background, does it's three attempts thing, user is now locked out, user finally presented a login prompt and allowed to enter password. You now have a very unhappy user who is unable to work and another help desk call. Yeah, I'll get off my soap box now.
    3,310 pointsBadges:
  • Kevincreate
    This thread is old, but a lot of things can cause a user to be locked out. Including a service somewhere logging in under the account, or a user left logged on to a computer. I use AD Network Manager to find out where my users are logged in.
    10 pointsBadges:
  • stephen11
    Kindly try some active directory management tools like admanagerplus(manageengine),active directory manager(adsysnet)

    they reporting invalid attempt count and last bad password time and account locked/unlocked status,etc.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: