Active Directory : User account repeatedly locked for no reason ?
February 27th, 2007 by Stephane KattoorThere are few situations that can lead to a user account being locked out in an Active Directory environment. The following two situations are worth mentionning, because at first sight, it might have seemed like the user account was locked out “for no reason”.
In both situations, the corporate password policy is involved. The policy is as follow :
- users must change their passwords at regular intervals
- account gets locked out after the password being refused a specified number of times
Situation 1 : Forgotten PC with an open session and Outlook running
If you leave Outlook running on a PC you forgot somewhere hidden in your office, it will go on using the same credential for ever. Even after the policy forced you to change your password, it will go on using the old credentials and ultimately lock out your account…
Situation 2 : “remember password” box checked while accessing a network share
If you check the “remember password” box when you access a network share, it will use the same password for ever. Even after the policy forced you to change your password. And then, when you’ll want to access that share again, it will use the old credentials and lock out your account.
How does it go on ?
The fun with those 2 situations is this : when you suddenly can’t logon again, you call the IT Support. They will unlock your account, and then you can logon… till Outlook will use again your old credentials, or till you’ll access that share with your old password again. And then your account will get locked again !
Quite frustrating … 
(By the way, you can clear the saved network share password following the instructions in “Windows : Clear saved windows networking passwords“)
September 20th, 2007 at 8:57
Hi,
We faced with the same problem half an year ago. One of our accounts gets locked out randomly. NetWrix Account Lockout Examiner help us troubleshoot the issue. This tool determines, why account is locked out and do most of the routine job for you.
September 23rd, 2007 at 19:37
Hey Dan,
Thanks for your input … seems to be a good tool, I wish there would be a free equivalent though !
Stéphane
October 16th, 2008 at 12:46
We have the same problem. We have >50.000 users in our domain, and many users have to call helpdesk every day to get their accounts unlocked. Their accounts gets locked both when they are on the LAN and via VPN, and also when they are using Outlook Anywhere.
There has to be more reasons than the two you mention here?
October 18th, 2008 at 11:32
Hello Peter,
I guess any tool/software which :
1) Authenticate a user against the Active Directory
2) Can remember the password
3) Cannot detect a password change
puts you at risk … I guess with a user base which is +50K it must be pretty annoying !!
Hope you’ll find the culprit, and let us know if you do !
Stéphane
March 12th, 2009 at 4:36
It happened in our domain quite often mostly for “Situation 2″ mentioned above. One annoying thing was that “the reason for the locked account” and “from which host it came from” was not always present in the logs. Normally we have a report when an account gets locked out.
September 8th, 2009 at 9:53
Hi,
Peter have you solve your problem?
October 22nd, 2009 at 13:39
Can be a trojan within the network that is probing accounts/passwords. Find domain server that first locks the account. then look into that servers security log. It probably holds the ip address that initiates the probing. That PC most likely has a trojan/virus onboard.
Software that may help can be found here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en
October 22nd, 2009 at 22:06
Erik, thanks for your comment ! very interesting set of tools, indeed
Stéphane