18 September, 2011

Account Lockout Lab - Mapped Drive

In this post, we will see how accessing a Mapped Drive with wrong credentials can lock a User Account


1. One Domain Controller: 3CGDC (Primary Domain Controller)
2. Two Member Servers: 3CGMAIL07
3. One Client Machine: 3CGCLIENT
4. One User: User1
5. One Admin: Admin1

Currently, The User1 Account is not Locked

The server 3CGMAIL07 is a file server hosting data. As an administrator, we want this data to be made available to all the users.

On the client machine, we are logged in as the user "User1" and then we maps the drive

(Remember, In practical world this all can be and is done through scripts. This is not an ideal lab)

A drive is mapped to the data which is stored on the server 3CGMAIL07

Here we will select the option to map the drive as a different user (In this case it will be using the account "Admin1")

Again, in the real world, things would be different. I am just trying to show that how a mapped drive or indeed the credential cached in a mapped drive can cause accounts to be locked

The drive is mapped successfully!!!

Lets now change the password for "Admin1"

On the client machine, lets log on as "User1"

The mapped drive is shown as "disconnected"

When trying to connect, it asks for the password. Now the reason behind it asking for the password is that the password that was used for the "Admin1" account when mapping the drive was different and now the password for the "Admin1" account has been changed. So, it is asking you to enter the new password which of course as a user you don't know...

Suppose, User tries to enter the password (old password which might have been given to him by the admin1) and eventually leads to account been locked


The motive of this post is to make you understand the cause of "Account Lockout". One of the main reason of an account being locked is that the password for that account have been changed but somewhere on a server (IIS, SharePoint, TS Session, ISA, Mapped Drive, 3rd party Application) the old password is still being cached.... and thus causing the Account to get Locked whenever the application where the old password is being used is trying to contact AD with the old password...