The domain account lockout mystery

This tip was submitted to the SearchWin2000.com tip exchange by member Randy Brown. Please let other users know how useful it is by rating it below.

At the beginning of the year, my company finally decided that we needed to have and enforce a domain security policy. So, after much thought and discussion, we put into place a security policy that forces users to change their password every 180 days. Along with this requirement, we put into place an account lockout policy that locks a user's account after eight invalid logon attempts and keeps it locked for 30 minutes.

During the course of the next 180 days, as users were forced to change their passwords, we noticed that certain user accounts would get locked on a fairly regular basis. We used all kinds of tools to try to determine what machine was causing the lockout, etc. (see

    Requires Free Membership to View

this SearchWin2000.com tip for one of the methods we used), but still the mystery of why these particular accounts would get locked out so frequently eluded us.

I am happy to share with you the cause and solution to this mystery that has plagued my company for more than six months. It is a very simple thing that most people probably would not even think of. Two words: Terminal Services.

That's right, after a lot of hair pulling and sleepless nights, I discovered that it is very important for users, after they change their password, to make sure that they have no "disconnected" terminal server sessions.

Disconnected terminal server sessions mean that the user is still logged onto the server in a "disconnected" state. When a user has a disconnected session and they change their password, the terminal server occasionally uses the users old credentials to keep the session alive. The attempts to re-authenticate the disconnected user will eventually lock out the account. This will continue to happen until the user logs out of all terminal server sessions.

Now that we know this information, we no longer have a mystery on our hands. We simply instruct any user that is having problems with lockouts to be sure to logout of all terminal server sessions and then log back into them. This has solved the problem 99% of the time (the other 1% being users forget that they changed their password!).

This was first published in September 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.