AD account lockout issues

Posted on April 27, 2015 Updated on May 6, 2015

Let me give some more idea which will help you to troubleshoot similar steps in future. Here are the most probable reasons which can cause account lockout issues. Exchange ActiveSync mobile devices – 90% of account lockout issues are caused by an “unknown” device trying to sync with your Exchange mailbox.

1. Apple MobileMe – contacts sync – Check and ensure the user hasn’t configured MobileMe to sync his contacts from Outlook. If this is configured with AD credentials, it can be a reason for account lockout
2. Applications / Web applications/ Tools which sync with Active Directory for authentication – There might be third party applications which are running which may have AD username and password stored within and lot of times the moment the user open applications like Internet explorer / browser, the application or the tools, it will try to authenticate in the background and lock the password.
3. Vault for credentials in Windows Control Panel or Credential manager – This is the second most obvious reason the user might get locked out. In my case, the user had an intranet SharePoint web portal and the AD credentials where cached in Credential manager. Make sure Windows Credentials area is empty

Stored usernames and passwords – rundll32.exe keymgr.dll, KRShowKeyMgr – This shouldn’t be a problem in most cases. Open a run windows and type rundll32.exe keymgr.dll, KRShowKeyMgr and delete stored passwords if any.

5. Rename AD Profile on the user machine – This is more like trying to fix the issue without knowing what’s causing it. This is under the assumption that account lockout happens when the user is logged into his client machine. If the account lockout is caused from an application or “something” from that machine, rename the AD profile on the client from “Documents and Settings in XP and Users in Win7″, advise the user to login again and monitor the situation.

Other advanced level tools are LockOutStatus and ADLockouts.