CRM Service Account Locked Out issues

  • Article

CRM Service Account Locked Out issues

 

There are multiple instances where user uses either one custom service account to run all CRM Services or uses different dedicated service accounts for each CRM Service. If the service accounts are locked out to due to some issue, then the CRM Services will be in stopped state and it will cause downtime. To isolate/troubleshoot locked out issues, you may find this article very helpful.

Please Note: There are many sysinternal tools available to verify Account Lockouts, I am explaining the built in commands or tools to analyze such problems.

 

Method-1: Account Lockout Tools

There are many methods and tools to find the Account Lockout status or to unlock a locked account. In this post I have explained about one famous tool and command.

Using the LockoutStatus.exe Tool – This tool comes with Account Lockout Tools package. This package was used earlier in Windows 2003. Account Lockout and Management Tools can be used on Windows Server 2008 as well.

Download Account Lockout Tools from here

https://www.microsoft.com/en-us/download/details.aspx?id=18465

How to use LockoutStatus.exe Tool

To run the LockoutStatus.exe tool and display information about a locked out user account:

  • Double-click LockoutStatus.exe.

  • On the File menu, click Select target.

  • Type the user name whose lockout status on the enterprise's domain controllers you want information about. The below screenshot shows that user account f1 is locked.

  • To Unlock the Account, right click and select Unlock

    To know more about Account Lockout Tools, read the below technet article

    https://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx

     

Method-2: How to use Repadmin Command to find Account Lockout details

  • First we have to find the FQDN of the locked user. You can use DSQUERY command for this.

  • Then run the below command to displays the domain controller that locked the account

    Repadmin /showmeta "FQDNofUser"

    Here is an example to displays the domain controller that locked the account f1:

Type the command Repadmin /showmeta "CN=f1, OU=Finance,OU=East Sales,cn=habib,cn=local"

You will get the output as below: In this we can only find the details of domain controller that locked the account. It cannot unlock the account from this command line.