ActiveSync
Troubleshooting Persistent AD Account Lockouts
We’ve all been there: a user’s Active Directory account keeps locking out every 5 minutes, even after a password reset. Finding the “ghost in the machine” can be a nightmare. Here are the most common culprits and how to kill them.
1. The 90% Culprit: Mobile Devices & ActiveSync
In nearly 90% of cases, the culprit is an old smartphone or tablet.
- The Scenario: The user changed their AD password on their PC, but their iPad at home is still trying to sync mail using the old password. After a few failed attempts, the account locks.
- The Fix: Have the user update the password on all mobile devices or temporarily turn off Wi-Fi on those devices to see if the lockouts stop.
2. Windows Credential Manager
Windows loves to “help” by caching credentials for printers, file shares, and SharePoint sites.
- The Fix: Go to Control Panel > User Accounts > Credential Manager. Under Windows Credentials, look for any entries related to the domain or internal web portals and remove them.
3. Stored Passwords (The Legacy Method)
Sometimes the GUI Credential Manager doesn’t show everything. You can access the legacy stored usernames and passwords directly:
- The Fix: Open a Run box (Win+R) and type:
rundll32.exe keymgr.dll, KRShowKeyMgr - Delete any stored passwords that look suspicious or outdated.
4. Background Applications & Web Services
Third-party tools, browser plugins, or internal HR portals often store AD credentials.
- The Scenario: A user opens Internet Explorer, and a background tool immediately attempts to authenticate.
- The Fix: Check the user’s “Startup” tab in Task Manager and disable non-essential third-party apps.
5. Advanced Diagnostics: LockoutStatus & ADLockouts
If the manual checks fail, you need to find out which Domain Controller is reporting the lockout.
- LockOutStatus: This tool from Microsoft’s Windows Server Resource Kit shows the lockout status across all DCs and identifies the “Source” machine.
- Netwrix Account Lockout Examiner: A great free alternative that often points directly to the process name causing the issue.
![lockoutstatus[1]](https://i0.wp.com/lazyadminblog.com/wp-content/uploads/2015/04/lockoutstatus1.jpg?ssl=1)
#ActiveDirectory #SysAdmin #ITPro #AccountLockout #WindowsServer #TechSupport #DataCenter #LazyAdmin #ExchangeServer #CyberSecurity