Active Directory Account lockout

Posted on 2011-10-31
Last Modified: 2012-06-27
My AD account is getting locked out by incorrect/old password in a Network Management Server web application that I log into.

Sometimes I get locked out of Active Directory and other times I only get locked out of TACACS (via SSH client) and NMS (web application).

Sometimes my TACACS and NMS start working again without having my AD account reset.

I was told that sometimes the AD account lockout takes a while to replicate to where the Helpdesk is located.

I assumed that account lockouts and resets were sent immediately and would show up anywhere in the AD almost immediately.

When I log into and use the NMS I also start getting prompts to reauthenticate to Outllook, Communicator and even get a set of keys icon in my taskbar asking me to verify my credentials.

I do not get locked out if I don't open the NMS application and I will start troubleshooting there to get any old/cached information out of NMS but the fact that I sometimes get locked out of AD and everything else and have to have the helpdesk unlock my account and then sometimes I only get locked out of NMS and TACACS and the helpdesk says my account is not locked and then in an hour or so my TACACS and NMS accepts my password is strange.

I believe all our systems use AD for authentication.
Question by:Dragon0x40
    LVL 5

    Accepted Solution

    Not sure about you AD to TACACS setup but:
    AD will lockout and then pass the status to all AD controlers.  Depending upon replication settings on the servers this could be almost instant or could be slowed to several hours on a slow WAN link.  Unlocking - same thing.  Most often AD lockout is set to lockout for a period of time, not permanent.  Therefore your 1 hour later it works is possible without even having help desk have a look.

    One question is how the TACACS is configured - what AD servers is it talking to.
    And - once connected, what AD servers will be authenticating.
    Not to mention - multiple domains?  Trust relationships?
    LVL 19

    Assisted Solution


    Author Closing Comment

    This problem was specific to one application that required AD login. It is caching credentials and we have not figured out why yet but I want to close this question because I don't know how long it will take to fix.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    "Migrate" an SMTP relay receive connector to a new server using info from an old server.
    In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
    This video discusses moving either the default database or any database to a new volume.

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now