I am having some issues on my domain with user accounts refusing to log in because the account is locked out, but in active directory (users and computers) the account is not marked as being locked out.
For example, this morning, a user phones in that her account is saying it's locked out. I go to remote desktop into the domain controller, but it's saying that my server admin account is locked out… so I log into the DC with my desktop account, open up the Users and Computers panel, browse first to my server admin account and it is NOT locked. Then I browse to the users account and.. it is NOT locked. I log out of the domain controller and try to remote desktop into it again with my server admin account and it works fine. And now the users account is working fine too.
For some reason, this happens very often and randomly. "X" account doesn't log into because it's "locked". Open up AD and find it is NOT locked, now "X" account is working. I have had times where all of my IT staffs desktops accounts and admin accounts are ALL locked out, users are getting notifications to log off/on to reauth their accounts, then, out of no where everything is working fine again…. none of the accounts are locked, etc..
I have not had much success in googling for solutions, so now I'm here. 🙁
My main question being… are there any scenarios where an "account is locked" error message is produced even though AD reports the account as unlocked?
And.. is there any way that accounts can be randomly locked and unlocked without admin intervention? (assuming the system/domain is not compromised)
A little about my AD: I have a main office (with 2 DCs) connected (via Cisco VPN) to 2 remote offices (each with own DC) on different subnets, defined in AD Sites. They all (4) appear to be replicating / otherwise functioning properly. I have not had a case of the above problem from any of the remote sites, only the main office.
Best Answer
I have not encountered any scenario where an account is listed as unlocked and the user is getting account locked issues. However, this could potentially occur if the DCs are not up to date.
Are the users who are getting this problem all within one AD site? Generally your intrasite DC replication will occur fast enough to avoid these issues. If your intersite replication schedule is too long and a user somehow gets locked in a separate AD site you could have the scenario you encounter.
Have you tried looking for the root cause of the account lockouts? You could use the Lockout Tool to find where the bad logon attempts are coming from.