There are few situations that can lead to a user account being locked out in an Active Directory environment. The following two situations are worth mentionning, because at first sight, it might have seemed like the user account was locked out “for no reason”.

In both situations, the corporate password policy is involved. The policy is as follow :

  • users must change their passwords at regular intervals
  • account gets locked out after the password being refused a specified number of times

Situation 1 : Forgotten PC with an open session and Outlook running

If you leave Outlook running on a PC you forgot somewhere hidden in your office, it will go on using the same credential for ever. Even after the policy forced you to change your password, it will go on using the old credentials and ultimately lock out your account…

Situation 2 : “remember password” box checked while accessing a network share

If you check the “remember password” box when you access a network share, it will use the same password for ever. Even after the policy forced you to change your password. And then, when you’ll want to access that share again, it will use the old credentials and lock out your account.

How does it go on ?

The fun with those 2 situations is this : when you suddenly can’t logon again, you call the IT Support. They will unlock your account, and then you can logon… till Outlook will use again your old credentials, or till you’ll access that share with your old password again. And then your account will get locked again !

Quite frustrating … ;-)

(By the way, you can clear the saved network share password following the instructions in “Windows : Clear saved windows networking passwords“)

February 27, 2007 at 9:26 pm by Stephane Kattoor
Category: Systems