An Active Directory (AD) account can be locked out for multiple reasons, and it's up to the IT admins to discover why accounts are locked out and unlock them. But doing this manually is a time-consuming and complex activity.
On top of this, the fact that account lockouts are so common only makes unlocking these accounts more challenging. But don't worry. Here are some tips and tricks and perhaps just the solution you're looking for to help you deal with account lockouts.
Why is an AD account locked out?
Some common causes for a locked-out AD account are:
- End-user errors:The user has exhausted all the attempts allowed to enter the valid username-password combination.
- Applications using old credentials:On a user's system, there are many applications that utilize the user's AD credentials. So if a user's credentials are expired or changed and the new ones are not updated in those applications, they can be locked out of their accounts.
- Systems using old credentials:A user can simultaneously use multiple devices to access the same AD account. If they change the password in one of these devices without updating it in other devices, they can be locked out of their account.
- Service accounts using old credentials:The service account credentials might expire or be changed, but the Windows services might be trying to run the service with the old credentials, leading to an account lockout.
- Scheduled tasks:Whether a user is logged in or not, the Windows Task Scheduler needs user-specified credentials to execute a task. These credentials may expire or could have been changed. If the cached credentials area is not updated in such cases, it can cause an account lockout.
Troubleshooting an AD account lockout
Here are some tips on troubleshooting
an AD account lockout:
- Check if a local user account has the same name attribute as an AD user account. If it does, rename the local ID.
- Clear all temporary files.
- Clear all the cookies, saved passwords, and history from all the web browsers.
- Delete the stored passwords from the Control Panel.
- Go to Start > Run > Prefetch and delete all the prefetch files.
- Inspect the event logs on the computer to understand the cause of account lockout.
- Ensure that all domain controllers are updated with the latest service packs and hotfixes.
- Configure domain-level auditing along with Netlogon and Kerberos logging to record relevant data.
- Go through the security event logs and Netlogon log files to find where and why the lockouts are happening.
- Examine all the available logs to check if you're facing a brute-force attack. If hundreds or thousands of failed login attempts are recorded, there is a good chance that you have been or are being attacked.
Tackle AD account lockout issues with ADSelfService Plus
ADSelfService Plus is an integrated Active Directory password management and single sign-on solution
that helps you efficiently resolve account lockout issues caused by user errors. Here's how:
1. Self-service account unlock
Allow users to securely unlock their AD accounts without involving the IT desk, relieving help desk techs of the responsibility of resolving account lockout tickets. The IT team can use the time saved to work on more challenging and important issues.
Users can unlock their accounts from:
-
1
Identity verification failures
-
1
Users with expired passwords
-
-
2. Comprehensive reports
Keep track of locked out users, failed identity verifications, and users with expired passwords using ADSelfService Plus. You can compare readily available reports with each other and make quick conclusions, making root cause analysis of an account lockout easy. You can customize what information is featured in these reports. You can also schedule these reports to be generated at desired intervals and have them delivered through email.
3. Password expiration notification
With ADSelfService Plus, you can notify users through emails, SMS messages, and push notifications at a frequency of your choice about their soon-to-expire passwords. This has a huge impact on avoiding account lockouts, as a major portion of account lockouts are caused by expired passwords.
4. Increased productivity
Witness a boost in overall productivity of your organization with fewer users inactive
due to account lockouts. ADSelfService Plus can also improve the IT desk's
efficiency, as less time is spent unraveling reasons for account lockouts.
Steps to unlock a locked-out AD account using ADSelfService Plus
1A user can click the Reset Password/Unlock Account button on the Windows login screen.
2In the ADSelfService Plus portal pop-up, the user should select Unlock Account.
3The user will then need to enter their username and click Continue.
4Next, the user must prove their identity through the authentication methods enforced by the admin and click Continue.
- Authentication factor 1: Face ID Authentication
- Authentication factor 2: Google Authenticator
- Authentication factor 3: Security questions
5Now, after entering the Captcha, the user can click the Unlock Account button.
How ADSelfService can save the day
- Multi-factor authenticationSecure machine, application, and VPN logons with over 15 authentication methods that can be configured in minutes.
- Single sign-onImplement single sign-on for over a hundred major enterprise applications and custom applications from a single portal.
- Password synchronizer Automatically sync the Windows Active Directory user password across various platforms to eliminate password fatigue.
- Password policy enforcerMandate strong passwords that are equipped to fight dictionary attacks, brute-force attacks, and other password threats.
- Directory self-updateAllow users to update personal information in Active Directory, freeing the help desk from this time-consuming and repetitive task.
