Ad2003 - locked-out accounts are not unlocking automatically

Discussion in 'Active Directory' started by Radovan Vojtek, Apr 8, 2008.

  1. Hi all,

    I've set my domain as follows:

    Account lockout duration: 60 minutes
    Account lockout threshold: 10 invalid logon attempts
    Reset account lockout counter after: 60 minutes

    However, accounts that got locked-out are not automatically unlocked after
    60min. In ADUC the checkob for unlock user is greyed but I can list tha
    account with the following LDAP query:


    The only way to unlock that account is user the VBS script with this command:

    objUser.IsAccountLocked = FALSE

    Is there any way to find out what's wrong with the domain?

    Radovan Vojtek, Apr 8, 2008
    1. Advertisements

  2. Radovan Vojtek

    Al Mulnick Guest

    Why is the check greyed? Are you not an admin?
    What is the scope of the problem exactly? Is it everyone gets the same
    results or just a few users?
    What do you see in the event logs of the domain controllers (seems like
    something you should have checked by now, but want to be sure we're covering
    the bases)?
    What I think you want to look for the most is that the policy is being
    applied to the domain controllers as expected and without issue.
    Al Mulnick, Apr 8, 2008
    1. Advertisements

  3. As I recall, when an account is locked out, the lockoutTime attribute is set
    to the Integer8 value corresponding to the date and time. When the domain
    lockout duration expires, nothing happens to the user object. The
    lockoutTime attribute stays the same until the user logs on, at which time
    the value of lockoutTime is set to 0 (zero). If the value of lockoutTime is
    not set, the account has never been locked out. If the value is 0, the
    account is locked out. For any other value you must compare to the domain
    lockoutDuration to see if it has expired to tell if the account is still
    locked out.

    Your LDAP query does not make sense to me. The lockoutTime attribute is not
    a flag value like userAccountControl where you can test bits of the integer
    for settings. Instead it is an Integer8 (64-bit) value representing a date

    Are you saying the users cannot logon when 60 minutes have passed since
    their account was locked out? My guess is that the account is not locked
    out, but the user has not yet attempted to logon.

    There is no simple query that will determine if an account is locked out.
    You must retrieve all accounts with lockoutTime greater than zero, then add
    the domain lockoutDuration to the value, convert to a date/time in the
    current time zone, and check if the result is in the past or future.
    Richard Mueller [MVP], Apr 8, 2008
  4. Actually, an LDAP query can be devised to find all users currently locked
    out, but some calculation is required to determine the critical value of the
    lockoutTime attribute. Following is a VBScript program to retrieve the DN of
    all users currently locked out:
    Richard Mueller [MVP], Apr 8, 2008
  5. Hello Richard,

    thanks for your reply and for explaining the unlocking mechanism.

    My LDAP query should show all locked-out accounts in the domain, actually I
    do not remember the original source of this query.

    The behaviour in my domain the following:

    When I lock the test account, after 60 minutes:
    - it seems as locked out (via that LDAP query), however the "Account is
    locked out" is unchecked and greyed.
    - this account cannot be authenticated via LDAP, hoever it can be used for
    interactive logon on domain PCs.

    Is this behaviour by design? Is there any other way to unlock the account
    except the interactive logon? My goal is to ensure the LDAP authentication
    availability for that acocunt after 60minutes.

    Radovan Vojtek, Apr 9, 2008
  6. Radovan Vojtek

    Al Mulnick Guest

    What are you doing to "lock" the account?

    The account is "unlocked" then if you can use it for authentication. Not
    being able to use it for bind can be different.
    Are these DC's in the same AD site?
    What happens if you try to bind to the PDCe during this time?
    The account is not locked out, according to your statement below, but what
    happens if you wait an additional replication cycle? Same results?

    Al Mulnick, Apr 11, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.