Being told my admin account is locked out, when in fact it is not locked. ???

Michael Faklis 41 Reputation points
2022-04-11T22:46:57.783+00:00

Attempting to log on to the primary domain controller with my domain admin account, I get the error:
"The referenced account is currently locked out and may not be logged on to."

I can log on to the same server with another domain admin user. That same account has no problem logging on to other servers. When I check the account in active directory users and computers, it is NOT locked out. That same account has no problem logging on to other servers.

I am getting an event 4771 followed by a 4625.

That same account has no problem logging on to other servers. Other accounts have no problem on the PDC.

I am unable to determine the problem. As I stated, the account is NOT actually locked out.

PDC and SDC are Server 2019
Exchange 2013 is on Server 2012R2
All three servers are still being configured on a Windows 10 Pro host and will be migrated to a Hyper-V Server 2019 host after configuration and testing are completed.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,543 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Dave Patrick 426.3K Reputation points MVP
    2022-04-11T23:19:17.14+00:00

    Console or remote logon? You could have a new one stood up very quickly which is what I'd suggest when unexplained issues happen on a domain controller. It really isn't worth spending time on.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  2. Stepan Shchepin 1 Reputation point
    2022-04-14T09:29:33.987+00:00

    If you found events 4771 and 4625 in security logs, it means that account is used on other machine in your network, that try to authorize trough this domain controller, that's why you are able to login to other servers on your network in the near same time. Try to find out the source of requests in security log, then check that machine with the following:

    Stale credentials for Windows Service accounts.

    Stale credentials used to run Scheduled tasks.

    Multiple Citrix XenApp or Remote Desktop Services sessions open when a user initiates a password change.

    Users logged into multiple computers when initiating a password change.

    Disconnected Citrix XenApp or Remote Desktop Services sessions that are not configured to timeout.

    Administrative Remote Desktop Connections to Windows servers left disconnected.

    Applications with their own credential stores that authenticate against Active Directory with stale credentials.

    Please click the below link to understand more about logon Failure which leads to Account lockout:

    https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx

    0 comments No comments