The domain account lockout mystery

Disconnected terminal server sessions can cause problems with account lockouts.

This tip was submitted to the SearchWin2000.com tip exchange by member Randy Brown. Please let other users know

how useful it is by rating it below.


At the beginning of the year, my company finally decided that we needed to have and enforce a domain security policy. So, after much thought and discussion, we put into place a security policy that forces users to change their password every 180 days. Along with this requirement, we put into place an account lockout policy that locks a user's account after eight invalid logon attempts and keeps it locked for 30 minutes.

During the course of the next 180 days, as users were forced to change their passwords, we noticed that certain user accounts would get locked on a fairly regular basis. We used all kinds of tools to try to determine what machine was causing the lockout, etc. (see this SearchWin2000.com tip for one of the methods we used), but still the mystery of why these particular accounts would get locked out so frequently eluded us.

I am happy to share with you the cause and solution to this mystery that has plagued my company for more than six months. It is a very simple thing that most people probably would not even think of. Two words: Terminal Services.

That's right, after a lot of hair pulling and sleepless nights, I discovered that it is very important for users, after they change their password, to make sure that they have no "disconnected" terminal server sessions.

Disconnected terminal server sessions mean that the user is still logged onto the server in a "disconnected" state. When a user has a disconnected session and they change their password, the terminal server occasionally uses the users old credentials to keep the session alive. The attempts to re-authenticate the disconnected user will eventually lock out the account. This will continue to happen until the user logs out of all terminal server sessions.

Now that we know this information, we no longer have a mystery on our hands. We simply instruct any user that is having problems with lockouts to be sure to logout of all terminal server sessions and then log back into them. This has solved the problem 99% of the time (the other 1% being users forget that they changed their password!).

This was first published in September 2003

Dig deeper on Windows Operating System Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close