We have active directory password policy auto-UNLOCK configured but some users are locked for days

Justin T Vaughn 41 Reputation points
2020-09-11T15:56:38.237+00:00

Hello Experts, as the title mentions, We have an Active Directory password policy for all users that auto-UNLOCKS the user account after a half an hour. It's working for 99% of users, However a small handful of users have been locked for days, sometimes weeks who have this policy. Is there some reason, some scenario where they will not be unlocked or do we have some weird issue going on?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | User experience | Other
{count} votes

4 answers

Sort by: Most helpful
  1. Justin T Vaughn 41 Reputation points
    2020-09-11T16:10:00.657+00:00

    Apparently some of the complaints are coming from users failing LDAP authentication, are those not auto unlocked automatically perhaps ?

    0 comments No comments

  2. DonPick 1,266 Reputation points
    2020-09-11T23:46:02.907+00:00

    have you checked event logs to see if those user accounts are subject to continuing consecutive failed logon attempts?
    the auto-unlock timer will be reset if the failed attempts continue, and unlock will never occur...

    0 comments No comments

  3. Thameur-BOURBITA 36,261 Reputation points Moderator
    2020-09-13T21:40:03.237+00:00

    Hi,

    To know the source IP of lockout ,you have to enable the setting: Audit account logon through a GPO on all members machines and domain controllers.

    You can refer to the following link if you want generate automatically a event for each account lockout:

    how-to-trace-and-diagnose-account-lockout-in-ad.html

    Please don't forget to mark this reply as answer if it help you to fixe your issue

    0 comments No comments

  4. Anonymous
    2020-09-14T01:01:39.297+00:00

    To narrow down the issue , we may need to find out what caused the lockout firstly.

    Usually, for troubleshooting account lockout issue, we should follow the general troubleshooting steps below. For your reference :

    First of all,looking for event 4740 on the domain controller is , and the computer source can be found through this event (each domain controller needs to confirm whether there is this event ); if not, need to enable the account management audit policy for the domain controller. , In [Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Audit Policy \ Audit account management]
    24226-9144.jpg
    Then, find the 4625 event on the client computer source and check the process of the locked account. If there is no 4625 event on the computer source, you need to enable the following audit events if the events:
    24238-9145.jpg

    Best Regards,

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.