Locked or not? Demystifying the UI behavior for account lockouts
This is Shijo from our team in Bangalore once again. Today I’d like to briefly discuss account lockouts, and some UI behaviors that can trip admins up when dealing with account lockouts.
If you’ve ever had to troubleshoot an account lockout issue, you might have noticed that sometimes accounts appear to be locked on some domain controllers, but not on others. This can be very confusing since you
typically know that the account has been locked out, but when you inspect individual DCs, they don’t reflect that status. This inconsistency happens because of some minor differences in the behavior of the UI between Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.
Windows Server 2003
In Windows Server 2003 the "Account is locked out" checkbox can be cleared ONLY if the account is locked out on the domain controller you are connected to . This means that if an account has been locked out, but the local DC has not yet replicated that information, you CANNOT unlock the account on the local DC.
Windows 2003 account properties for an unlocked account. Note that the checkbox is grayed out.
Windows Server 2008 and Windows Server 2008 R2
In Windows Server 2008/2008 R2 the "Unlock account" checkbox will always be available (regardless of the status of the account). You can tell whether the local DC knows if the account is locked out by looking at the label on the checkbox as shown in the screenshots below:
Windows 2008 account properties showing the “Unlock Account” checkbox. Notice that the checkbox is available regardless of the status of the account on the local DC.
Windows 2008 (and higher) Account Properties dialog box showing locked account on this domain controller
If the label on the checkbox is just "Unlock account" then this means that the domain controller you are connected to recognizes the account as unlocked. This does NOT mean that the account is not locked on other DCs, just that the specific DC we're working with has not replicated a lockout status yet. However, unlike Windows Server 2003, if the local DC doesn’t realize that the account is locked, you DO have ability to unlock it from this interface by checking the checkbox and applying the change.
We changed the UI behavior in Windows Server 2008 to help administrators in large environments unlock accounts faster when required, instead of having to wait for replication to occur, then unlock the account, and then wait for replication to occur again.
Windows Server 2012
We can also unlock the accounts using the Active Directory Administrative Center (available in Windows Server 2008 R2 and later). In Windows Server 2012, this console is the preferred method of managing accounts in Active Directory. The screen shots are present below about how we can go about doing that.
You can see from the account screenshot that the account is locked which is denoted by the padlock symbol. To unlock the account you would have to click on the “Unlock account” tab and you would see a
change in the symbol as can be seen below.
You can also unlock the account using the PowerShell command shown in the screenshot below.
In this example, I have unlocked the user account named test by simply specifying the DN of the account to unlock . You can modify your powershell command to incorporate many more switches, the details of which are present in the
Hopefully this helps explain why the older operating systems behave slightly differently from the newer ones, and will help you the next time you have to deal with an account that is locked out in your environment!
If you’re looking for more information on Account Lockouts, check out the following links:
Shijo “UNLOCK IT” Joy