Active Directory - User account lockout after changing password

Posted on 2009-04-29
Last Modified: 2012-05-06
Hello all,

I have recently changed a few things in my active directory, in order to shore up some basic security. We have one domain, running Windows 2003 severs.  Everything is pretty basic with the domain. I have made three changes in past few days.  They are:

1.  Changed password complexity to 6 chars, capital, numeral..etc
2.  Changed account lockout to duration of 3 unsuccessful attemps
3.  Changed password expiration to 30 days

After changing these settings in AD (globally), it seems that when people change their passwords (after being prompted when they login) their accounts get locked out.  This has happened to every person who has changed their password since the changes were implemented.

Does anybody have any ideas as to why this might be happening?

Thanks in advance for your help.

Question by:Mbrowwn
    LVL 18

    Accepted Solution

    I don't believe this happens to all users who change password. I believe its you could have a lot pa users got locked out due to the following reasons:
    1. Users do not know the requirement of a complex password.
    2. Users do not usually logoff their machine other than putting their laptop in standby mode or remain logged on with old password.
    3. Notification of passsword chance was prompt due to various reasons.
    4. 3 attempt for pasword locked is too low as user may need training on what complex password is all about.

    Other possibilities are terminal session or rdp session still logged on with old password and multiple machines being used could also lead to account locked out. At this point, what you can do is study the security log of your DCs to find out what machine the user account being locked out. Also train the users on what they need to provide when changing a complex password. I also find that 3 attempt is not enough most pa the time, even for myself, and the reason I always have a second account to unlock my account. Mistype password, caplock, and misused old password accounted 3 attempts and a helpdesk ticket aleady need to open...

    Author Closing Comment

    Thank you for your reply Americom.  It appears that some users were logged into multiple machines, therefore locking their accounts when the password was changed.

    Thanks again for all your help!
    LVL 18

    Expert Comment

    You welcome, glad that help.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
    Learn about cloud computing and its benefits for small business owners.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now