10 Replies

  • Something is using those old cached credentials, it may be the net use command, a task/service, a device that sync's email with the old password. There's lots of ways that an account can get locked out.

    Open PowerShell on a DC and run this command.


    Post a sanitized version of the output.

    Was this post helpful? thumb_up thumb_down
  • What changes have you made it for min password and lockout policy - I meant before and after ? I believe you obviously had those two settings with different values earlier as well and batch file for mapping network drive is also not new in your environment so technically this mechanism was working without any issue unless you introduced new settings in the environment so not seeing the issue with batch file as it might be using user's credential but not hard coded. The chances are something is related to DC replication but its very rare as PDC would have been updated immediately by the DC on which user's password has been changed. By the way, how does user change the password (vpn/sspr/myaccount in azure/etc.,) ? Also, if you get the result for fgpp for one of the users. Get-ADFineGrainedPasswordPolicy -Filter "name -like '*username*'"

    Was this post helpful? thumb_up thumb_down
  • Here is another strange piece of the information. Whenever I log into a different device my domain account is locked. 

    I went to login to my laptop (plugged into Ethernet on our domain) and it said my account was locked. My other tech unlocked it for me and I logged in fine.

    I came back to my desktop in the office and tried to login and it locked my account again. 
    If I try logging into a Oracle virtual machine then it will lock my account?

    There is something about the enforce lockout policy it doesn't like because if we disable that id doesn't do it. Again this is on a fine-grained policy. 

    Was this post helpful? thumb_up thumb_down
  • How about create a test user that doesn't have the batch file or any special settings and apply the policy to it and see if you get the same results?

    Was this post helpful? thumb_up thumb_down
  • yup, I am going to continue testing with a test user and remove the batch file from my profile and go from there. 

    Was this post helpful? thumb_up thumb_down
  • Strange, if I login to a different machine I get locked out. If I unlock my account and log back into that same machine I am not locked out. As soon as I try a different machine then I am locked out again. It is almost like the account lockout policy is using the MAC or network address to cache the password or apply the policy? I am going to do more testing and try releasing / renewing the IP of a test PC to see if it will lock me out. 

    Was this post helpful? thumb_up thumb_down
  • It doesn't seem like that entering the password incorrectly cause this. Might you'd need to try checking out what cause the account to be locked out. I use ManageEngine ADAudit Plus. Worth a try. 

    Was this post helpful? thumb_up thumb_down
  • I used a combination of Manage Engine AD plus and Netwrix Account Lockout examiner to find the cause on my PC. I had an admin task running under my account in SCCM and a couple schedules tasks running on a sever. I switched them all to admin service accounts and everything seems to be OK now, Those two apps are really helpful in tracking down lockouts and other issues. 

    1 found this helpful thumb_up thumb_down
  • IAJack wrote:

    We recently enabled a fine grained password policy to enforce longer min. passwords and enforce account lockout policy. We have some users network drives mapped with a default batch file in their AD user account (odd I know, it it a legacy network). The new policy does not force a password change. When some users change their password it locks them out and we need to go into AD and re-enable it. 

    We are trying to figure out why that is happening and if it is the drive mapping batch causing it or something else going on. I am unsure, but once they change their password to the new min length and their account is re-enabled then there are no reoccurring issues?

    Generally on lockouts - I recommend you to follow Account Lockout Troubleshooting Reference Guide (you can find it here on SpiceWorks as well).
    And indeed, Netwrix Account Lockout Examiner can help you to pinpoint problematic lockouts.

    Was this post helpful? thumb_up thumb_down
  • It looks like most of the lockouts are coming from previously mapped network drives that were mapped manually. User change their password after the drives were mapped and after the lockout policy and it throws a fit. 

    Was this post helpful? thumb_up thumb_down

Read these next...