18 September, 2011

Account Lockout Lab - Site Access

In this post, we will see how accessing a site with wrong credentials can lock a User Account


1. One Domain Controller: Win2k3-DC (Primary Domain Controller)
2. Two Member Servers: Win2k3-SP (SharePoint Server) & Win2k3-SQL (SQL Server)
3. One Client Machine: WinXP
4. One User: User1

Account Lockout Policy: Account Lockout Threshold = 3

User Logs On to a Client Machine

User tries to Access a SharePoint Site and Enter his Credentials to Access It

User enters wrong credentials and therefore is promoted for the password again and again he enters the wrong credentials

And here we go... After entering the wrong password thrice, On the 4th attempt, his Account is Locked


Important: In this post we said that the user entered the wrong password while accessing the SharePoint Site.... Do you think a normal user would have entered a right password while logging on to the machine and then entered the wrong password while accessing the site.... Of course "No" and neither this user has less grey matter... :)

Lets talk about this for a minute by talking about two scenarios...

1. Administrator changed the password for that user on the PDC and the Replication between the PDC and the DC authenticating the user was not working. Now when the user logs on (being unaware of the fact that the administrator has changed the password) to the client machine using his old password, he might be able to log on (Cache Credentials).... But then he might not be able to access the site with cached credentials?

2. The SharePoint site was being run in the context of a user/admin/service account and the password in AD for that user/admin/service account has been changed but in IIS the old password is unchanged
This was one of the scenario, there could by many more Indeed

The motive of this post is to make you understand the cause of "Account Lockout". One of the main reason of an account being locked is that the password for that account have been changed but somewhere on a server (IIS, SharePoint, TS Session, ISA, Mapped Drive, 3rd party Application) the old password is still being cached.... and thus causing the Account to get Locked whenever the application where the old password is being used is trying to contact AD with the old password...