AD account getting locked out everyday

Posted on 2012-08-20
Last Modified: 2012-09-05
We set our lockout in AD to 10, then it caused a ton of problems so we set it back to 0 till we can get things under control.

But I have a user that is being locked out by a 2008 server 2-3 times a day.

I check the policy on the server and the lockout is set to 0.

so I cannot understand why the account is still being locked out.

Any thoughts
Question by:rdefino
    LVL 12

    Expert Comment

    Is it a local server account or an Active Directory account? If its an AD account its the domain controller that locks the account out.

    If its a local account then remember that the default domain policy will over-ride the local computer policy. Use the group policy modelling wizard (in the Group Policy Management console) or the results wizard to check the effective policies.

    You really need to track down whats locking out the accounts. Have you downloaded the tools from here:-

    and checked the security logs on the domain controller(s) for failed audit requests. It can be many things, smart phones trying to sync, AD passwords saved in the password store, logons left

    Author Comment

    It is an ad account and I already used eventcomb to see what system is locking it out. It's the 2008 that I mentioned in the post.
    LVL 57

    Assisted Solution

    by:Mike Kline
    Check to see if there are any services on that box that may be using that account.  You already know what box is the issue.  A network trace may also help out, more on that here


    LVL 12

    Expert Comment

    What roles does the box have? As well as services are there any schedulde tasks that are running as the user?

    Author Comment

    Is there and app that I can use to track what application is causing the lockout on a system?
    LVL 12

    Accepted Solution

    If you can pin it down to a time then you might be ablt to use TCPView ( but if the appplication is using NT Authentication then it could be a kernal process that makes the connection.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Promote certifications in your email signature

    Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

    If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
    Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
    This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now