AD account lock

[ET]

Hi,

Some of our users are having problems when changing passwords. We have set a
group policy to have users to change their passwords from time to time.
However, some users when changing passwords would have their account locked.
After the account is unlocked they can use the new password to login. This
happens in users using Windows 2000 as well as XP.

Would any of you have idea of what the problem is?

Thx in advance.

 

[Herb Martin]

Hi,

Some of our users are having problems when changing passwords. We have set a
group policy to have users to change their passwords from time to time.
However, some users when changing passwords would have their account locked.
After the account is unlocked they can use the new password to login. This
happens in users using Windows 2000 as well as XP.

Would any of you have idea of what the problem is?

What are the precise circumstances?

Are these Terminal Service users by any chance?

 

[ET]

For example, a particular user logs in using existing password. A prompt
will say, after enter the password, that the password has expired and
required to change to a new one. Then the process of entering a new password
the logon process continues and completes with the desktop now loaded. Then
the user clicks on MS Outlook to check for email and it prompts back a
window asking for user's username, password and domain. Providing all these
information does not allow the user to go into his / her mailbox.

Then when checking in AD Users and Computers and found that the user's
account is locked. Unlock it and the user and access his / her mailbox and
subsequently logging on with the new password to the computer.

Is there some problem with the logon procedure? Or setting in the AD?

 

[Herb Martin]

For example, a particular user logs in using existing password. A prompt
will say, after enter the password, that the password has expired and
required to change to a new one. Then the process of entering a new password
the logon process continues and completes with the desktop now loaded. Then
the user clicks on MS Outlook to check for email and it prompts back a
window asking for user's username, password and domain. Providing all these
information does not allow the user to go into his / her mailbox.

Then when checking in AD Users and Computers and found that the user's
account is locked. Unlock it and the user and access his / her mailbox and
subsequently logging on with the new password to the computer.

Is there some problem with the logon procedure? Or setting in the AD?

It sounds like a discrepancy between the current
user password and the one being present for service
authentication (e.g., email.)

Suggest that users logoff and back on after changing the
password and see if that helps.

1) Attempt to logon
2) Prompt to change password
3) Change and logon
4) Immediately LOGOFF
5) Logon again with the new password.

Now all of the session is with the new password.

ANOTHER Possibility:

You have multiple DCs that are not replicating (quickly).

Check each of these with DCDiag -- sending out put to a file
and search the text file output for FAIL, WARN, ERROR

 

[HelpPls]

Do they have Mapped Drives or open shares [sessions]?

Do a net use and delete disconnected sessions...I've actually found this an
issue in our domain.

 

[Mark Renoden [MSFT]]

Hi

How many bad password attempts do you allow? Check out the following for
recommendations:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

What version of Outlook are you using? I have some vague memory of OL2000
being a little persistent when it failed to authenticate. I think this was
changed in OL2000 SP3.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[ET]

Thanks Herb.

I will check that with users.

Currently we are working on only a single DC. But we will get another one up
shortly.

 

[ET]

We are allowing 3 attempts before the account is locked.
Thanks for your advice. ^^

Hi

How many bad password attempts do you allow? Check out the following for
recommendations:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

What version of Outlook are you using? I have some vague memory of OL2000
being a little persistent when it failed to authenticate. I think this was
changed in OL2000 SP3.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

For example, a particular user logs in using existing password. A prompt
will say, after enter the password, that the password has expired and
required to change to a new one. Then the process of entering a new
password
the logon process continues and completes with the desktop now loaded.
Then
the user clicks on MS Outlook to check for email and it prompts back a
window asking for user's username, password and domain. Providing all
these
information does not allow the user to go into his / her mailbox.

Then when checking in AD Users and Computers and found that the user's
account is locked. Unlock it and the user and access his / her mailbox and
subsequently logging on with the new password to the computer.

Is there some problem with the logon procedure? Or setting in the AD?



have
set

 

[Herb Martin]

I think the set of tools Mark recommends will constitute
a big help.



--
Herb Martin

We are allowing 3 attempts before the account is locked.
Thanks for your advice. ^^

Hi

How many bad password attempts do you allow? Check out the following for
recommendations:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

What version of Outlook are you using? I have some vague memory of OL2000
being a little persistent when it failed to authenticate. I think this was
changed in OL2000 SP3.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

For example, a particular user logs in using existing password. A prompt
will say, after enter the password, that the password has expired and
required to change to a new one. Then the process of entering a new
password
the logon process continues and completes with the desktop now loaded.
Then
the user clicks on MS Outlook to check for email and it prompts back a
window asking for user's username, password and domain. Providing all
these
information does not allow the user to go into his / her mailbox.

Then when checking in AD Users and Computers and found that the user's
account is locked. Unlock it and the user and access his / her mailbox and
subsequently logging on with the new password to the computer.

Is there some problem with the logon procedure? Or setting in the AD?



Hi,

Some of our users are having problems when changing passwords. We have
set
a
group policy to have users to change their passwords from time to time.
However, some users when changing passwords would have their account
locked.
After the account is unlocked they can use the new password to login.
This
happens in users using Windows 2000 as well as XP.

Would any of you have idea of what the problem is?

What are the precise circumstances?

Are these Terminal Service users by any chance?


--
Herb Martin



Thx in advance.