Professional labs

What causes repeated active directory account lockouts and how to resolve them. 

Active directory account lockouts can be the biggest problem for system administrator because it happens a lot in it. According to research account lockouts are the single source of calls to IT help desk.

But what is the main cause of account lockouts?

 Most of active directory account lockouts are caused due to two main problems; one is a user forgets the password and another can be credentials are updated on new device, but the user forgets to update on old device.

There are certain types of active directory account lockouts;

  • Employees forgetting the password: In the research it has mentioned that on an average employee uses 25+ passwords for their business needs which can be extremely challenging to keep track on what the password is for that particular account. To access the desktop and VPN, certain applications like outlook, drop box, G-suits, sale force, and so on requires strong and unique password. So, if employee set unique password and then if they can’t remember it, then it results in frequent account lockouts.

  • Password overlap due to cached credentials: This type of account lockout is difficult to resolve because the main cause here in it is obscure. Employees use multiple applications or a single application in various devices which can result in password overlap and then the account is all set to lockout.

  • Mapped drive using old credentials in the device: Mapped drive can be configured to user specific credentials which connect to different resources. When user change the password without updating the credentials in that device, and after the credentials expires it cause account lockout.

  • Application using old credentials: If the credentials are not updated in every application you use and when it expires, the account will lockout.

  • Logged on across multiple devices: If employees logged on across multiple devices without any logout on any device, then this can also lead to active directory account lockouts.

How you can resolve account lockouts:

To resolve account lockout you need to follow a procedure. Microsoft also offers the account lockout status tool in which user account domain that can be contacted and then searched for. Also you can hire a Active Directory Consulting company.

Tools that you can use to find the source of repeated account lockouts:

There are multiple tools available which you can use to track down the source of repeated account lockouts. The tools can be time intensive but can be helpful as well.

The first tool is; Microsoft account lockout and management tool which is one of the most accurate and reliable tool. Power shell script and account lockout examiner tool is also used to analyze various windows component like scheduled task, CMO objects, different applications etc. These tools can be a great source of finding repeated active account lockouts quickly.

Final word:

You need to take time to investigate the true cause of frequent account lockouts. Changing the policy of active directory account lockout is an effective way of separating instances of errors occurred by users. Use need to use the tools to look after the issue, trace the source of the issues and with the use of tools and resources you can manages and solve problem of active directory lockouts.