Link to home
Avatar of devdept
devdeptFlag for Saudi Arabia

asked on

Locked account in Active Directory 2003

Dear All,

We face a problem in our active directory; most of the users account its coming lock suddenly. I have to go and unlock the user. Its affecting most of the users (but not all). Also, there is no policy to lock the users account in active directory.

How we can solve this issue?

Thanks

ASKER CERTIFIED SOLUTION
Avatar of Mohamed Osama
Mohamed Osama
Flag of Egypt image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
If you have several domain controllers you can use eventcomb to look for the specific event id's.  Eventcomb has that report ready to be run.  More on that here:
http://support.microsoft.com/kb/824209
How to use the EventCombMT utility to search event logs for account lockouts
Also just double check your domain policies to make sure no one made changes to the account policies.
 
 
In additions to the above tools suggested, you may want to double or trible check on your policies. Since you said "most of the user account...suddenly", it soulds like it mostly has to do with someone made change of the account locked policy. The good things is you don't have to go through every policies to find out which one was changed. A good start as mkline71 suggested about, check on your domain policies. Since password pollicy apply to domain, run GPMC(you can download it from Microsoft if you are not usging this tool to manage your GPOs) and click on your domain, go through all the policies that are linked to your domain and see which has recently changed. To save time, when you click on the domain in GPMC console, you can see on the right pane under the tab "Linked Goup Plicy Objects", there is a column showing when the GPO was modified. May be the date would give you some idea. You can also click on the suspected policy and click on the "Settings" and find out how is your account password lockout policy is configued. This should be in Computer Configuration>Windows Setting>Security Settings>Account Policies/Account Lockout Policy.

For more info on how should these be set, an earlier thread has a good discussion on this:
https://www.experts-exchange.com/questions/24079076/What-is-wrong-with-my-Account-Lockout-Policy.html
Avatar of devdept

ASKER

I need to ask, does this can related to the computer account? I notes that; the users which use a join computer have this problem and the users which use workgroup computer didn't face this
I chack the GPO, nothing configured there
 
Computer accounts do have passwords too but that should affect the user account being locked out.
The reasons that could computer password to expire could be the computer has been offline for a long period of time, system time and date is way off due to systemboard change, etc.

you can reset the computer account password by using the netdom.exe utlity but I usually reset it by disjoint and rejoint to the domain.
Avatar of devdept

ASKER

i have 1500 computer, i can disjoint all of them. i'm sure this is not the solution