What could be more frustrating for an administrator then just unlocking the users account frequently. Although, For user, it can be a reason for a tea break (An official reason... :))
There is a simple logic behind Accounts getting Locked... As an administrator, You just need to understand that logic. One of the main reason of an account being locked is that the password for that account have been changed but somewhere on a server (IIS, SharePoint, TS Session, ISA, Mapped Drive, 3rd party Application) the old password is still being cached.... and thus causing the Account to get Locked whenever the application where the old password is being used is trying to contact AD with the old password...
So, In the background, Most probably, Its gonna be a cached credential that would be causing the account lockout to happen. Now on which server the old credentials are cached and on that server which application is causing the account lockout is what as an admin you have to find out
Along with, We need to know the complete process of User Log on and his Credential Verification by the Authenticating DC/PDC
1. User Logs on to a Client Machine
2. User then access a resource (Like a Mapped Drive or a SharePoint Site)
3. NETWORK LOGON: User`s Credentials are sent to the Server from where the drives are mapped or
to the server hosting the SharePoint Site
4. TRANSITIVE NETWORK LOGON: The Server hosting the mapped drive data or the server hosting the sharepoint site cannot authenticate the user and has to send the user credentials to the authenticating domain controller. the server henceforth send s the credentials to the domain controller which is known as
TRANSITIVE NETWORK LOGON or Pass-Through Authentication
5. If the password is incorrect then the Authenticating domain send the password to the PDC for Re-verification. This is also a TRANSITIVE NETWORK LOGON
To understand Account Lockout more deeply, I have made two small labs and another post on how to find the server where the old credentials are stored
Account Lockout Lab - Mapped Drive
http://www.adshotgyan.com/2011/09/account-lockout-lab-mapped-drive.html
Account Lockout Lab - Site Access
http://www.adshotgyan.com/2011/09/account-lockout-lab-site-access.html
Account Lockout - Finding The Culprit (Server)
http://www.adshotgyan.com/2011/09/account-lockout-finding-culprit-server.html
For more information on Account Lockout, Please refer to the following links:
Maintaining and Monitoring Account Lockout
http://technet.microsoft.com/en-us/library/cc776964(WS.10).aspx
Troubleshooting Account Lockout
http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
There is a simple logic behind Accounts getting Locked... As an administrator, You just need to understand that logic. One of the main reason of an account being locked is that the password for that account have been changed but somewhere on a server (IIS, SharePoint, TS Session, ISA, Mapped Drive, 3rd party Application) the old password is still being cached.... and thus causing the Account to get Locked whenever the application where the old password is being used is trying to contact AD with the old password...
So, In the background, Most probably, Its gonna be a cached credential that would be causing the account lockout to happen. Now on which server the old credentials are cached and on that server which application is causing the account lockout is what as an admin you have to find out
Along with, We need to know the complete process of User Log on and his Credential Verification by the Authenticating DC/PDC
1. User Logs on to a Client Machine
2. User then access a resource (Like a Mapped Drive or a SharePoint Site)
3. NETWORK LOGON: User`s Credentials are sent to the Server from where the drives are mapped or
to the server hosting the SharePoint Site
4. TRANSITIVE NETWORK LOGON: The Server hosting the mapped drive data or the server hosting the sharepoint site cannot authenticate the user and has to send the user credentials to the authenticating domain controller. the server henceforth send s the credentials to the domain controller which is known as
TRANSITIVE NETWORK LOGON or Pass-Through Authentication
5. If the password is incorrect then the Authenticating domain send the password to the PDC for Re-verification. This is also a TRANSITIVE NETWORK LOGON
To understand Account Lockout more deeply, I have made two small labs and another post on how to find the server where the old credentials are stored
Account Lockout Lab - Mapped Drive
http://www.adshotgyan.com/2011/09/account-lockout-lab-mapped-drive.html
Account Lockout Lab - Site Access
http://www.adshotgyan.com/2011/09/account-lockout-lab-site-access.html
Account Lockout - Finding The Culprit (Server)
http://www.adshotgyan.com/2011/09/account-lockout-finding-culprit-server.html
For more information on Account Lockout, Please refer to the following links:
Maintaining and Monitoring Account Lockout
http://technet.microsoft.com/en-us/library/cc776964(WS.10).aspx
Troubleshooting Account Lockout
http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
