Several Days ago I had a case where several accounts got locked out. I talked to users who were locked out of domain, but they all claimed that they knew the password. They did not change the password recently and that they did nothing to lock their account. Even though, their user account was locked out every 15 minutes – 30 minutes. What a terrible experience. Why terrible? Because I couldn’t find the problem immediately. It took me a while to find a solution how to handle such situation.
After a quick google search I found numerous posts but nothing helped find the cause of domain lockouts. Then I stumbled on the following MS Article
How to troubleshoot User Account Lockout in Windows domain
Check list to resolve domain lockouts
- Check that domain controllers have latest service pack applied, also check for hot fixes and any other updates
- Check that client computers have the latest service packs applied, also check for hot fixes and any other updates that may apply.
- Enable audit on domain controllers
- Enable Netlogo loggin
- Enable Kerberos Logging
- Check Security even log
- Check Event logs
- Check domain replication
What may cause user lockouts in domain:
- Service accounts
- Bad Password Threshold is set too low
- User logging on to multiple computers
- Stored user names and passwords retain redundant credentials
- Scheduled tasks
- Persistent drive mappings
- Active Directory replication
- Disconnected Terminal Server sessions
- Service accounts
- Proxy authentication
- Android Phone
- Apple iPad or Android tablet
Check which programs user is using. Programs may store user credentials even after user changed a password. Usually there is a username / password setting you can change. Example is Mozilla Thunderbird or Apple iTunes.
If you are having problem with Service accounts being locked out please note that you have to enter username and password for service account. Check all the servers if there is a service account with old credentials.
Bad password Threshold set too low
Bad password threshold is a setting you can change. If you changed this setting to a number which is lower than default, you may experience lockouts due to programs retrying wrong credential. Try restoring the setting to default value of 10.
Users are using multiple computers
When user logs to multiple computers, programs use and cache credentials. When user changes a password, programs with cached credentials may still run. Check hoe many computers user used when he / her experienced lockouts. Log him / her off all computers and check if the problem persist.
Stored user names and passwords retain redundant credentials
Network credentials are stored on a local computer. In some cases, wiping those credentials will solve your problem. To delete credentials stored in local computer go to Control Panel and click on Manage my Network Passwords, check credentials and make sure you use correct passwords.
If you changed password for a user with administrator role you can experience lockouts because of Scheduled tasks using old credentials.
Persistent drive mappings
In some cases persistent credentials can cause to domain lockouts. Every time user restarts a computer and logs in, persistent credentials try to log with stalled credentials. You can fix this problem by typing net use /persistent:no to command prompt.
Active directory replication
User settings are replicating across domain controllers. In some cases domain replication may not be working. Check domain replication to ensure you don’t have any problems related to replication. While it’s not likely lockouts are related to domain lockout, you can check replication if everything else seem ok.
Disconnected Terminal Server sessions
When user is using Terminal Services, when they close application, their session is still active. Network mappings will use old credentials and will cause domain account lockout. I have seen this happen many times and is one of the first things to check.
In some cases users have to use proxy authentication for internet to work properly. If credentials for proxy are not updated, probability that domain lockout is caused because of proxy authentication is quite high. Make sure that current credentials are entered. To test if proxy authentication is causing domain lockout, open web browser and try to browse the internet. You will see: 1. if internet works 2. If user gets locked out after several tries.
I didn’t thought that Android phones could cause domain lockout, I have experienced several cases when bad Android OWA implementation locks user. To fix domain lockout, update Android software to the latest version. To test if Android is the culprit, disable data for some time. If account does not get locked, that means that Android has some issues and you should investigate the problem further.
Yes, iPad can also cause domain lockout. When investigating problem with lockouts, I always ask if user owns a tablet connected to OWA. I had several cases when user didn’t update credentials and caused lockout with iPad. Problem could be related to stalled credentials or that user forgot domain password and locked out their account when they entered old credentials.
How to quickly fix domain lockout for end user
- Check if the user is a Terminal Services user
- Check if user owns iPad or Android tabled
- Check users Phone email application / credentials
- Check if the problem is browser related
- Check if user uses multiple computers
- Review applications user uses, in some cases iTunes or similar application can cause domain lockout
- Check email program
This check list will most likely help you find the problem.
If you still can’t find the problem, you can use the Netwrix Account Lockout Examiner to narrow the issue.