?
Solved

AD User accounts appear as locked out in ADUC

Posted on 2006-11-21
3
Medium Priority
?
1,791 Views
Last Modified: 2009-01-07
This is a new one on me and everyone I know:  All my Windows Server 2003 R2 Active Directory user accounts appear locked out in ADUC but aren't, and the object properties show the option to unlock the accounts on the Account tab as disabled.  No other properties on any other tabs seem to be affected.  This is true even when logged in as the root admin account.  Domain structure is pretty flat, one forest, one domain in the forest.  Using a command line utility, I can unlock accounts that are actually locked out, and can enumerate all the user accounts without issue.  Domain level GPO has account lock-out for 30 minutes after 3 tries, with count reset after 29 minutes.  All FSMO roles held by 2003 server, with 3 Win 2K AD servers essentially acting as backups (migrating to 2003 across the board).  The 2003 AD server has been in producton since August without issue.  The Win 2k AD servers have been in production for anywhere from 2 to 5 years.  No obvious errors in any of the event logs on any of the DCs.  Please help!
0
Comment
Question by:slappytheslug
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 1

Accepted Solution

by:
ucstechinfo earned 1000 total points
ID: 17993960
How do your accounts appear locked-out?

Did you recently change set the lockout setting in a GPO?  I did and freaked for a second as well.  A good test...use a test account and pass enough bad passwords to lock it out.  Then go into the accounts tab and let us know what you see there.  
0
 

Author Comment

by:slappytheslug
ID: 17995226
I changed the account lockout duration to 0 minutes after discovering this issue was domain-wide, and prior to discovering a command line work-around.  Currently, the checkbox on the Account tab in the user object properties that you'd normally uncheck to unlock a user account has "Account is locked out" next to it, and the whole line (including the checkbox) is greyed-out.  I will change the GPO Account lockout duration value back to its original setting and test lockout with a test user account per your recommendation.  I'll report my findings later today - thanks!
0
 

Author Comment

by:slappytheslug
ID: 17996164
I deliberately locked out a test account as recommended and it showed up normally in the ADUC GUI.  I was able to unlock it from there as well.  Perhaps my initial issue was exacerbated by my changing the lockout duration in the root GPO.  Thanks for suggesting this test.  Should have thought of it myself...
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question