[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Active Directory Account lockout

Posted on 2011-10-31
Medium Priority
Last Modified: 2012-06-27
My AD account is getting locked out by incorrect/old password in a Network Management Server web application that I log into.

Sometimes I get locked out of Active Directory and other times I only get locked out of TACACS (via SSH client) and NMS (web application).

Sometimes my TACACS and NMS start working again without having my AD account reset.

I was told that sometimes the AD account lockout takes a while to replicate to where the Helpdesk is located.

I assumed that account lockouts and resets were sent immediately and would show up anywhere in the AD almost immediately.

When I log into and use the NMS I also start getting prompts to reauthenticate to Outllook, Communicator and even get a set of keys icon in my taskbar asking me to verify my credentials.

I do not get locked out if I don't open the NMS application and I will start troubleshooting there to get any old/cached information out of NMS but the fact that I sometimes get locked out of AD and everything else and have to have the helpdesk unlock my account and then sometimes I only get locked out of NMS and TACACS and the helpdesk says my account is not locked and then in an hour or so my TACACS and NMS accepts my password is strange.

I believe all our systems use AD for authentication.
Question by:Dragon0x40

Accepted Solution

mrklaxon earned 1000 total points
ID: 37058464
Not sure about you AD to TACACS setup but:
AD will lockout and then pass the status to all AD controlers.  Depending upon replication settings on the servers this could be almost instant or could be slowed to several hours on a slow WAN link.  Unlocking - same thing.  Most often AD lockout is set to lockout for a period of time, not permanent.  Therefore your 1 hour later it works is possible without even having help desk have a look.

One question is how the TACACS is configured - what AD servers is it talking to.
And - once connected, what AD servers will be authenticating.
Not to mention - multiple domains?  Trust relationships?
LVL 19

Assisted Solution

R--R earned 1000 total points
ID: 37061596

Author Closing Comment

ID: 37143059
This problem was specific to one application that required AD login. It is caching credentials and we have not figured out why yet but I want to close this question because I don't know how long it will take to fix.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses
Course of the Month20 days, 5 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question