One of the frequent issue I recently encounter is the user account lockout issue in Windows Active Directory (AD) environment. This happens when users disconnect their RDP session on servers and ask the administrators to reset their AD password. This will create a conflict with the user password on servers (disconnected servers) and the AD server. AD will inturn locks the particular user account.
I searched the net for solution and there are no direct simple solution to this. Administrator need to log off the particular user account on all the servers where he logged in or disconnected state. Then unlock the account. You can also the reset the password to previous password in AD.
There is a problem in this approach. Administrator need to know on which server the user has logged in. I use one simple and free tool called Netwrix account lockout examiner. It will display the locked out user account in the summary tab. Administrators can “examine” the particular account and see on which servers where his account get locked out.
Download the tool from Netwrix site (you may need to register it) and install it. You need to give AD login credentials. That credential should have access to AD. It is better to create an non-expiring service account for this tool.
Screen 1 from Netwrix site:
Once you install it, run the tool. It will take some time to open. Then it will list all the locked accounts. This tool is dynamic and it will automatically fetch “live” lock out accounts in the summary screen.
Once you identify the particular user account you want to unlock, just click the user account and click examine. Don’t click unlock now. It will unlock the account but will lock account soon. We need to examine and logoff the user session from servers where he logged in.
Once you click examine, it will take some time and it will list the servers where the particular user has his session. You can see the server name where a user logged in – in the above screenshot 2.
Then login to those servers and log off the user session.
Once done, unlock the user account in the AD or in this tool.
If the user account is locked on multiple servers. Logoff the users through RDP is tiresome. You can use Qwinsta and Rwinsta commands to do the same. More details:
- One of the way to prevent this is to regularly restart the Windows servers. Restarting removes the connected / disconnected user sessions. This in turn prevents account lockouts. Hence patching and restarting on a routine manner helps in an indirect way.
- You can also setup GPO to enable user session timeout.