Active Directory : User account repeatedly locked for no reason ?

There are few situations that can lead to a user account being locked out in an Active Directory environment. The following two situations are worth mentionning, because at first sight, it might have seemed like the user account was locked out “for no reason”.

In both situations, the corporate password policy is involved. The policy is as follow :

  • users must change their passwords at regular intervals
  • account gets locked out after the password being refused a specified number of times

Situation 1 : Forgotten PC with an open session and Outlook running

If you leave Outlook running on a PC you forgot somewhere hidden in your office, it will go on using the same credential for ever. Even after the policy forced you to change your password, it will go on using the old credentials and ultimately lock out your account…

Situation 2 : “remember password” box checked while accessing a network share

If you check the “remember password” box when you access a network share, it will use the same password for ever. Even after the policy forced you to change your password. And then, when you’ll want to access that share again, it will use the old credentials and lock out your account.

How does it go on ?

The fun with those 2 situations is this : when you suddenly can’t logon again, you call the IT Support. They will unlock your account, and then you can logon… till Outlook will use again your old credentials, or till you’ll access that share with your old password again. And then your account will get locked again !

Quite frustrating … ;-)

(By the way, you can clear the saved network share password following the instructions in “Windows : Clear saved windows networking passwords“)

16 thoughts on “Active Directory : User account repeatedly locked for no reason ?”

  1. Hi,
    We faced with the same problem half an year ago. One of our accounts gets locked out randomly. NetWrix Account Lockout Examiner help us troubleshoot the issue. This tool determines, why account is locked out and do most of the routine job for you.

  2. We have the same problem. We have >50.000 users in our domain, and many users have to call helpdesk every day to get their accounts unlocked. Their accounts gets locked both when they are on the LAN and via VPN, and also when they are using Outlook Anywhere.

    There has to be more reasons than the two you mention here?

  3. Hello Peter,

    I guess any tool/software which :
    1) Authenticate a user against the Active Directory
    2) Can remember the password
    3) Cannot detect a password change

    puts you at risk … I guess with a user base which is +50K it must be pretty annoying !!

    Hope you’ll find the culprit, and let us know if you do !

    Stéphane

  4. It happened in our domain quite often mostly for “Situation 2″ mentioned above. One annoying thing was that “the reason for the locked account” and “from which host it came from” was not always present in the logs. Normally we have a report when an account gets locked out.

  5. Dear Robert,

    Go to Administrative tools–>AD user and computer

    Then select the that particular user(Locked user account).

    Go to that user Properties.

    In the Account tab, un-check the password never expires option.

    Thats all…..

    Cheers,
    Karthick

  6. I have used Godtube for long time. Now it will put up a message “UserFeedback_AccountLocked” could you please tell me what is wrong. How do I get it to work correctly. I thank you for your help. My sign in name has been purpleecho

    Phyllis Woolery

  7. Outlook Outlook… Our image loads are so bulky users hate rebooting at night so when they come in in the morning it does not take 10 minutes to boot. Well, this user changed his password and kept having a lockout. Come to find out he never closed Outlook.

    Awesome article, thanks for info!!

  8. A lot of times you can check the Security log on the Domain Controller, looking for the Audit Failure and when you find the one with the user (or the users computer in some cases) it will usually show where the authentication originated from. So you can see if it was from the local machine, a terminal server, Citrix, etc.

  9. I recently experienced this issue when users connect through VPN, their account becomes locked, but only for users who:

    – Have a VPN username that is the same as their domain username (minus the ‘domain\’ prefix, ofcourse)

    AND

    – Use a domain-joined computer to connect with VPN

    Users who are not using a domain computer OR have a different VPN username than their domain username do not experience this.

    I too (as many here before me) sense a link between the use of Outlook while on VPN.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>