Problem solve Get help with specific problems with your technologies, process and projects.

The domain account lockout mystery

Disconnected terminal server sessions can cause problems with account lockouts.

This tip was submitted to the tip exchange by member Randy Brown. Please let other users know how useful it is by rating it below.

At the beginning of the year, my company finally decided that we needed to have and enforce a domain security policy. So, after much thought and discussion, we put into place a security policy that forces users to change their password every 180 days. Along with this requirement, we put into place an account lockout policy that locks a user's account after eight invalid logon attempts and keeps it locked for 30 minutes.

During the course of the next 180 days, as users were forced to change their passwords, we noticed that certain user accounts would get locked on a fairly regular basis. We used all kinds of tools to try to determine what machine was causing the lockout, etc. (see this tip for one of the methods we used), but still the mystery of why these particular accounts would get locked out so frequently eluded us.

I am happy to share with you the cause and solution to this mystery that has plagued my company for more than six months. It is a very simple thing that most people probably would not even think of. Two words: Terminal Services.

That's right, after a lot of hair pulling and sleepless nights, I discovered that it is very important for users, after they change their password, to make sure that they have no "disconnected" terminal server sessions.

Disconnected terminal server sessions mean that the user is still logged onto the server in a "disconnected" state. When a user has a disconnected session and they change their password, the terminal server occasionally uses the users old credentials to keep the session alive. The attempts to re-authenticate the disconnected user will eventually lock out the account. This will continue to happen until the user logs out of all terminal server sessions.

Now that we know this information, we no longer have a mystery on our hands. We simply instruct any user that is having problems with lockouts to be sure to logout of all terminal server sessions and then log back into them. This has solved the problem 99% of the time (the other 1% being users forget that they changed their password!).

Dig Deeper on Windows client management