?
Solved

Account Lockout Issue

Posted on 2011-10-21
15
Medium Priority
?
802 Views
Last Modified: 2012-05-12
We have 2008 R2 AD / Windows 2003 AD environment. We modified account lockout policy by changing reset account lockout counter to 0. We did this because we want users to call helpdesk instead of waiting for 5 minutes.

We had to revert because over 50% of our users were locked out. What could be the issue? GPO was modified on Win 2003 AD.
0
Comment
Question by:oandosupport
  • 5
  • 3
  • 3
  • +3
15 Comments
 

Expert Comment

by:undejj
ID: 37009143
I think you mean that you set Reset Account Lockout Counter After to 0, meaning that the account lockout counter never resets because the value is in units of minutes.

To achieve what you want, set Account Lockout Threshold to 1 and Account Lockout Duration to 0, meaning that the account will be locked out until an administrator explicitly unlocks it.

Reset Account Lockout Counter After may be set to a reasonably large number - the max is 99,999 minutes.
0
 
LVL 21

Accepted Solution

by:
Hendrik Wiese earned 1000 total points
ID: 37009187
There could be a number of reasons why this is happening:

1. This could be applications that are still trying to authenticate with old user accounts and after 3 failed log on attempts (assuming your server is set to 3 attempts) the account gets locked.
2. This could be a worm or virus causing the issue
3. Or this could also caused by the account lockout policy that is set to something like 1 or 2.
4. There might also be errors on your DC's so check all DC's using replmon, netdiag and dcdiag
5. This could also be caused by a service that has still got old credentials in.

Have a look at the following tool to help resolve the issue: Account Lockout and Management Tools

Here is a couple of reference sites that you might want to check out:
1. http://forums.techarena.in/active-directory/926498.htm
2.
0
 
LVL 3

Expert Comment

by:saraf1000
ID: 37009898
The only bad thing is that "0" doesn't work for the "Reset Account
lockout counter after" setting.

Saraf
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:oandosupport
ID: 37010286
I got the question all wrong.
Account lockout duration was set to 0,
account lockout threshold was set to 3 invalid logons
and reet account lockout after was set to 2 minutes

All accounts got locked out.
0
 
LVL 3

Expert Comment

by:saraf1000
ID: 37010291
So now that's sorted out..
by changing account lockout duration...

Congrats.

Saraf
0
 
LVL 14

Expert Comment

by:Radweld
ID: 37010476
Many people forget that any phones using active sync also authenticate against the domain and cause accounts to lock out.
0
 

Author Comment

by:oandosupport
ID: 37010775
we still have a lot of users with accounts locked out. Our policy states that all users must contact helpdesk before their accounts are locked out. what is the effect of account lockout duration of 0 vs 60?
0
 
LVL 3

Expert Comment

by:saraf1000
ID: 37013044
Account Lockout Duration. If someone violates the lockout controls, Account lockout duration sets the length of time the account is locked. The lockout duration can be set to a specific length of time using a value between 1 and 99,999 minutes.

The best security policy is to lock the account indefinitely by setting the lockout duration to zero. When this is done, only an administrator can unlock the account. This will prevent hackers from trying to access the system again and will force users who are locked out to seek help from an administrator, which is usually a good idea. By talking to the user, the administrator can determine what the user is doing wrong and help the user avoid problems.

Saraf
0
 

Author Comment

by:oandosupport
ID: 37013351
The strange thing is, all users were fine until we change the account lockout duration to 0. This shouldn't cause accounts to lockout, should it?
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 37014065
Have you tried using the account lockout and management tool that I suggested?
0
 

Author Comment

by:oandosupport
ID: 37014173
Yes I did. It's kinda strange. It shows my account as locked out on some DCs in different sites. Is there a tool to unlock all accounts?
0
 
LVL 3

Expert Comment

by:Marc Smets
ID: 37036593
In Lockoutstatus you can right-click the DC where the user is locked and select 'Unlock'

This needs to be done for each DC as you cannot unlock on different DC's simultaneously
0
 
LVL 14

Expert Comment

by:Radweld
ID: 37036653
You should always "unlock" an account on the DC hosting the PDC role to ensure the account doesnt get relocked. You could also have AD replication issues (check the time on every DC is consistent and within 600 seconds of the PDC)
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 37036663
There is obviously something wrong with your replication if your Account is only locked on some DC's. You can download a trial of Manage Engine's - ADManager Plus to unlock multiple accounts at the same time. Download Link
0
 

Author Closing Comment

by:oandosupport
ID: 37075172
the tool helped in unlocking accounts.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question