Avatar of devdept
devdeptFlag for Saudi Arabia asked on

Locked account in Active Directory 2003

Dear All,

We face a problem in our active directory; most of the users account its coming lock suddenly. I have to go and unlock the user. Its affecting most of the users (but not all). Also, there is no policy to lock the users account in active directory.

How we can solve this issue?

Thanks

Active DirectoryWindows Server 2003

Avatar of undefined
Last Comment
devdept

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Mohamed Osama

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Mike Kline

If you have several domain controllers you can use eventcomb to look for the specific event id's.  Eventcomb has that report ready to be run.  More on that here:
http://support.microsoft.com/kb/824209
How to use the EventCombMT utility to search event logs for account lockouts
Also just double check your domain policies to make sure no one made changes to the account policies.
 
 
Americom

In additions to the above tools suggested, you may want to double or trible check on your policies. Since you said "most of the user account...suddenly", it soulds like it mostly has to do with someone made change of the account locked policy. The good things is you don't have to go through every policies to find out which one was changed. A good start as mkline71 suggested about, check on your domain policies. Since password pollicy apply to domain, run GPMC(you can download it from Microsoft if you are not usging this tool to manage your GPOs) and click on your domain, go through all the policies that are linked to your domain and see which has recently changed. To save time, when you click on the domain in GPMC console, you can see on the right pane under the tab "Linked Goup Plicy Objects", there is a column showing when the GPO was modified. May be the date would give you some idea. You can also click on the suspected policy and click on the "Settings" and find out how is your account password lockout policy is configued. This should be in Computer Configuration>Windows Setting>Security Settings>Account Policies/Account Lockout Policy.

For more info on how should these be set, an earlier thread has a good discussion on this:
https://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24079076.html
ASKER
devdept

I need to ask, does this can related to the computer account? I notes that; the users which use a join computer have this problem and the users which use workgroup computer didn't face this
I chack the GPO, nothing configured there
 
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Mike Kline

Computer accounts do have passwords too but that should affect the user account being locked out.
Americom

The reasons that could computer password to expire could be the computer has been offline for a long period of time, system time and date is way off due to systemboard change, etc.

you can reset the computer account password by using the netdom.exe utlity but I usually reset it by disjoint and rejoint to the domain.
ASKER
devdept

i have 1500 computer, i can disjoint all of them. i'm sure this is not the solution
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.