7,023 questions
Apparently some of the complaints are coming from users failing LDAP authentication, are those not auto unlocked automatically perhaps ?
We have active directory password policy auto-UNLOCK configured but some users are locked for days
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 90%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
Justin T Vaughn
41
Reputation points
Hello Experts, as the title mentions, We have an Active Directory password policy for all users that auto-UNLOCKS the user account after a half an hour. It's working for 99% of users, However a small handful of users have been locked for days, sometimes weeks who have this policy. Is there some reason, some scenario where they will not be unlocked or do we have some weird issue going on?
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | User experience | Other
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2020-09-16T05:58:38.65+00:00 Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
Best Regards,
Sign in to comment
4 answers
Sort by: Most helpful
-
-
DonPick 1,266 Reputation points2020-09-11T23:46:02.907+00:00 have you checked event logs to see if those user accounts are subject to continuing consecutive failed logon attempts?
the auto-unlock timer will be reset if the failed attempts continue, and unlock will never occur... -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 36,261 Reputation points Moderator2020-09-13T21:40:03.237+00:00 Hi,
To know the source IP of lockout ,you have to enable the setting: Audit account logon through a GPO on all members machines and domain controllers.
You can refer to the following link if you want generate automatically a event for each account lockout:
how-to-trace-and-diagnose-account-lockout-in-ad.html
Please don't forget to mark this reply as answer if it help you to fixe your issue
-
Anonymous
2020-09-14T01:01:39.297+00:00 To narrow down the issue , we may need to find out what caused the lockout firstly.
Usually, for troubleshooting account lockout issue, we should follow the general troubleshooting steps below. For your reference :
First of all,looking for event 4740 on the domain controller is , and the computer source can be found through this event (each domain controller needs to confirm whether there is this event ); if not, need to enable the account management audit policy for the domain controller. , In [Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Audit Policy \ Audit account management]
Then, find the 4625 event on the client computer source and check the process of the locked account. If there is no 4625 event on the computer source, you need to enable the following audit events if the events:
Best Regards,