I'm facing a strange problem - domain user accounts are not being unlocked.
These are the Account Lockout Policy settings: Lockout duration: 30 minutes Account lockout treshold: 10 invalid logon attempts Reset lockout account lockout counter afeter: 29 minutes (it was 30 minutes before and it had the same problem)
What is happening is that even after the lockout duration is expired (its been 45 minutes since the lockout time) the account still shows as locked.
Can any of you guys help me?
[Edit]
I'm already using the "Lockout Account Tool" and the tool doesn't show any other Bad Password attempt.
Thanks!
The attribute msDS-User-Account-Control-Computed is the best indication for user lockout.
As you wrote, though the Lockout Tool showed that the user was locked out the attribute msDS-User-Account-Control-Computed showed otherwise, and the user was actually not locked out.
Seems like the Lockout tool returned a wrong value.
Microsoft has a Lockout tool that you can view Last Bad Pwd and Bad Pwd Count with all your Domain Controllers. This should give you better insight with what is going on. Perhaps the user is still trying to login to the system with the wrong password during the "lock out" period, resetting the timer.
run RSOP.msc and make sure that the proper group policy policies are being applied. Drill down to the lock out settings and make sure they are what you expect them to be.