Have you ever been in a situation that an AD Account keeps locking out and you don’t know how to solve it? Well, this issue happens when you try to log in to the domain computer and immediately get an error on the screen, which indicates that the AD Domain Policy has blocked your account. This may sound complicated, but rest assured and dig into this post to get the answer.
Why An Ad Account Keeps Getting Locked Out
The AD account keeps locking usually begins after users have changed the password. You can easily spot this problem as soon as you get an error on the screen: Referenced account is now locked out and may not be logged into.
The issue that user account keeps locking out active directory are most often related to the causes below:
- The user’s error when typing password. They make some mistakes when entering the password or forget that it has been changed;
- An unfinished RDS server – often occurs when the user closes/disconnects the remote session without logging out. You can not avoid such an issue by setting the enforce log-off sessions in the domain policy.
- The Window Services have a user password saved. Hence, creating a separate service account (with a never-expiring password) is much better than using the user’s account to run any service on domain servers.
- Users sometimes save passwords in Task Scheduler work. The accounts, including utilities, are frequently used to operate task scheduling. To run planned operations, using service accounts is more common.
- Smart devices with stored user passwords—check the mobile smartphone’s email client settings for checking the saved AD credentials (such as ActiveSync, Outlook, etc.). If someone uses Wi-Fi security for his/her Windows Directory from the Radius registry, he/she can even add saved passwords for this connection.
- Users saved passwords in the WCM (Windows Credential Manager)
How To Solve The Problem That An AD Account Keeps Locking Out?
However, in some situations, the accounts are locked for no particular reason. Many users reported that they did absolutely nothing wrong, even never entered an incorrect password, but their accounts were blocked for whatever reason. The administrator will manually delete the lock at the user’s order, but the condition will recur after a while.
Necessary Tools For You To Track Lockout Events
Before going deeper into how to deal with AD Account keeps locking, you need to install some tools that can help much during the solving process.
- LockoutStatus.exe
You can download and use the handy lockout application LockoutStatus.exe to check the locking account source for all domain controllers.
- ALTools.exe
After downloading the Microsoft Account Lockout and Management Tool (ALTools.exe) and extracting the folder, you need to run the LockoutStatus.exe utility. Select File > Select Target from the menu bar and type in the required username.
- PowerShell
You may also use PowerShell to locate the locked account lockout source on the DC by the PDC FSMO role.
Looking Up The Current Account State
After having downloaded the Lockout Tools (LockoutStatus.exe) and double-clicking the ALTools.exe, it will transfer files to a spot on your chosen hard disk. They are actually independent tools that do not require any program to be installed on your device.
Then, you do turn by turn next step:
- Select File
- Select Target
- Type the username of the target user and the domain to lookup.
- Now, you’ll get a list of domain servers as well as The User State that shows you whether your account is locked or not.
There are five main columns that provide you the necessary information:
- Bad Pwd Count indicates exactly how many times you have typed the wrong password; however, it does not give the number of times the password has been entered incorrectly above the account lockout threshold.
If the community agreement allows for a limit of 5 wrong passwords before a timeout, the Bad Pwd Count would not be more than 5.
- The Last Bad Pwd column will show you the date and point of the last attempt. It won’t update after the accounts have locked out.
- Pwd Last Set is self-explanatory.
- Lockout Time will be the same as the Last Bad Pwd part if the account has already locked out.
- Orig Lock column gives you the information about which domain controller handles the locked account. All the domain controllers then make a copy of the account lockout status anyway. However, this column will be the first DC to process the log-on order.
The Orig Lock could be set to the category’s third DC. Bad Pwd Count is mentioned twice because, after processing the initial log-on order, then 3rd DC in the column also needs to link the PDC emulator.
5. Unlock the account
Now, you can unlock your user account directly from this tool. To do so, pick a DC, right-click the user, and choose ‘Unlock Account’ from the drop-down menu.
This update will be repeated automatically to all DCs in the existing domain, and you will be able to log on to the domain computers. By clicking the ‘Reset User’s Password’ menu object, you can also update the user password.
Finding Out Which Device Caused Your Account To Be Locked Out
This is the time EventcombMT.exe becomes effective. Otherwise, the tool can not read the protection logs on the domain servers unless you run it as a properly privileged user (or domain admin).
- Fill the name in the domain box and choose Get DCs in Domain from the drop-down menu.
- Click Built in Searches –> Account Lockouts from the Searches menu.
- By default, the case IDs are filled in for older Windows versions. Then enter Event ID 4740, which includes Server 2008 R2 and higher.
- Now, go to the Options –> Set Date Range menu to choose a date range.
- Next step, on the windows taskbar, press Search.
- When the searching process is complete, an administrator window with several log files (Temp folder, which you can modify in Options –> Set Output Directory) will appear. This log file will be much more simple to read than the above part.
In this domain, there is a special security identifier of users called SID (the long Security ID).
The Account Name field is self-explanatory and refers to the user’s Active Directory account name.
The fascinating bit is the Caller’s Computer Name, which will inform us which gadget locked out the account. It’s a computer named DESKTOP-PC-123 in this situation that can now be checked.
It’s likely that you’ll come across unusual caller machine names, such as the Exchange CAS site. This indicates that the user’s mobile /laptop/device/tablet/etc. has inappropriate credentials. The IIS, which logs on the Exchange server, can be checked further to learn more about this.
Final Thought
It had been simpler than you expected, right? Hope that our article can help you fix the case that the AD account keeps locking out, and from now on, you do not need to worry about it! If you have any problems, don’t hesitate to leave a comment below!
Maybe you are interested in
- 10 Apps For The Latest and Trendies Live Wallpaper Windows 10!
- Can You Type Without Looking? Learn The Skill With 8 Free Typing Programs!
- What To Do If Xinput1_3.dll Is Missing Windows 10
- Windows 7 Temporary Profile Fix – Tips For The Easiest Repair Process
- User State Migration Tool – A Perfect Tool To Migrate User Profiles