[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Account locked out, cannot change

Posted on 2011-02-28
12
Medium Priority
?
987 Views
Last Modified: 2012-06-27
I have one of our nurseries who cannot access their account, OWA, Intranet etc.
The account says:
"this account is currently locked out on this active directory domain controller"
I cannot seem to bypass this. I've ticked and applied to no avail.
I've changed the password.
The timeout appears to be 10 minutes and we have certainly passed that!
Any help please.
It is not just a case of ticking the box, I have tried this many times.
0
Comment
Question by:jasonbournecia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34996428
The problem may be that as you are clearing the account - their computer is retrying the username / password and it is locking it out again.

Can you ask them to shut down any programs on their computer that would be using the account username / password or even shut the computer down until you can reset the account, then see if the account keeps locking it out.

You may also be the victim of a hacker trying to hack into the account remotely, so please check your Security Logs to see what the source of the account lockouts are.
0
 

Author Comment

by:jasonbournecia
ID: 34996650
Hi alanhardisty, re the first bit, this is the first thing I got them to do; although I din't get them to restart, I got them to close IE and Outlook.
I will check the logs.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34996657
Thanks - will wait for your feedback.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:jasonbournecia
ID: 34996796
Out of my depth here. Lots of Securtiy Kerberos erro messages in 'System.
I think I need to call our support people again.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34996812
Filter by Invalid Logins. Right-Click on the Security Event Log, choose View> Filter.. Unselect all Event Types apart from Failure audit.

Then look at the failures and post the error from one or two Login Failure events please.
0
 

Author Comment

by:jasonbournecia
ID: 34996967
I was able to filter the 'System' log for the specific user, there were no errors for that user in Securtiy. Under System, I got this:
"The SAM database was unable to lockout the account of myuser due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above."
I have reset their password this morning. Is it worth doing this again!?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34997078
Can you please look for the Account Locked error and then look for a couple of entries prior to the lockout and post the error from those events please.  They might give us a clue.
0
 

Author Comment

by:jasonbournecia
ID: 34997200
Sorry Alan, in SBS2008, I cannot see the filtering quite as you say, hence why I filtered by the user's name.
If I go into windows logs, then right click security, there is no filter under 'Views' But, you can right click and 'filter current log', but I could not see how to filter by lockout.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34997284
Sorry - Please filter by Audit Failures (Keywords) and then look at the details of the error.
0
 

Author Comment

by:jasonbournecia
ID: 34997702
Okay, done.
Obvioulsy I've changed the username and domain, but I will tell you one obvious issue, the domain name below user name was the name of the local PC. It looks like the user forgot to put our domain name then backslash in front of their username, so Windows 7 their end inserted the local workgroup name.
But, even so, I cannot release the locked user.
error.txt
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 34997754
Okay - so it seems to be the workstation that is causing the issues.  Is it switched off yet?
0
 

Author Closing Comment

by:jasonbournecia
ID: 34998260
Well, that's me suitably embarrassed!!!
Just disconnecting wasn't enough.
I've shut down their PCs and the message has gone :)
Thanks for your help.
I guess that somehow there was still a hook to the remote IP.
Their PCs are not inside the domain, so I thought just logging off Intranet and email would have been enough.
I overlooked the simple thing. Typical me.
Thanks again Alan.
John
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question