account lockout grey'd out



in my AD under any user's properties under profile, the ability to lock or
unlock a user account is greyed out... i'm wondering what is causing this...
the only thing i can think of is recent microsoft patches...

i have no domain policy settings in place to make this change... anyone have
any ideas?




The account lockout is something you can only select if
the account has been locked out by excessive password
attempts. You can't select the account to be locked out.
The account lockout would be enabled after like 15
minutes anyway.

The Account disable is the one you can select to disable
an account in the box below the lockout.

Joe Richards [MVP]

Is the account locked out? If not, then you can't set it to locked. If it is
locked and it is greyed out, then you probably don't have the necessary access



yeah guys,

1. i know the difference between disabled and locked out...
2. i know the time restraints of the lockout, i just reset to 1 minute and
all is well
3. I want to be able to control, un-locking users... I"M THE ADMIN
4. i better have security rights, logged onto my op master as


the option is greyd out, yet the user, after incorrectly entering his
password, is getting the prompt that his account is locked out and contact
the sys admin.

thanks for the replies :)

Joe Richards [MVP]

Once the user is locked out, refresh the screen and see if the lockout checkbox
is checked and enabled.

As for permissions, don't assume anything, being logged on as a specific admin
account doesn't necessarily mean you currently have full rights over a user
object, you need to look at the actual acl.

A quick way to see if you have permissions would be to use my command line
unlock tool on the free win32 tools page of, if you don't have
permissions to do the unlock, it will tell you when you try.



Greyed out is default. If you have the reset time set to
1 minute then the box probably would have cleared itself
before you saw the checkbox filled.

The only time you will see this box checked and able to
be controlled (unchecked) is when the user is during
login password contention.

You should be a little bit nicer to the folks that tried
to help you out... QUOTE: "If not, then you can't set it
to locked. " sure makes it sound like you don't what the
box is for.




One last thing, if you want to be able to "control" the
user lockout then you need to bump that time way up.


i'm sorry for being ambigious...

in the ACL, i'm the admin... my account has full blown access.

i turned the time down to 1 minute (in order to unlock a locked account!!!!)

the user is telling me that their machine is saying the account is locked
out, contact the admin.

i go into AD, find the user, and their locked out account checkbox is grey'd
out. so i can do nothing as the admin to unlock the account... the only
thing i can do is set the lockout time interval to 1 minute in order to
unlock the user's account...

Joe Richards [MVP]

Ok once more... When it is greyed out, is the checkbox checked or not?

If it is checked and still greyed out, do a dsacls dump of the user object and
post it.


it is NOT checked, at least from what i can tell, yet it is locked out.

this is why i ran into issues, people would call telling me they were locked
out, but i would look in AD and they wouldn't be... so i'd go to their
office and sure enough, it's telling them they are locked...

Joe Richards [MVP]

So it sounds like the account isn't really locked or you are hitting a DC that
hasn't had the lock propogated to it yet. Determine what DC the users are
hitting and check that DC.



Wayne Tilton

Perhaps it is the computer account that is locked out, not the user
account? I ran into that recently when doing some AD computer object
cleanup and when we set a computer account to disabled, the user got a
somewhat ambigious message saying their account was disabled.


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question