1

For the past 3 weeks I have been experiencing a very odd and very annoying issue with my Active directory credentials. (This is a corporate network, with 2x AD servers (Server 2012), 300 workstations, all on win 7 Pro, no roaming profiles, my account is set up as Domain admin) I can therefore login to any machine or server (usually!)

So the problem: Every so often (no obvious delay could be minutes, could be hours) my credentials are rejected for any of: Windows login, Outlook asks for Exchange credentials, and others, basically AD rejects my details.

On login (to ANY machine or server) sometimes i can get in fine, sometimes it will state that my account is LOCKED (not rejecting the password) - I can enter the CORRECT username and password a few times and then it will let me in. Even when I'm connected to a server via rdp, sometimes i will get a popup saying "windows needs your credentials, log off and on again" (or words to that effect)

Even more fun? this doesnt just happen from my own workstation, it can happen when im building a laptop, server etc.

The weird thing is, this doesnt seem to be affecting anyone else on the network (600+ users)

Dont say "ask IT" - I AM IT!!!!

What the?!??!?!?!

Edited to add: This is not really duplicate, I am NOT actually locked out as eventually it will accept my credentials, without any changes in AD.

Digital Lightcraft
  • 369
  • 4
  • 19
  • And yes... i've tried changing my password! – Digital Lightcraft Sep 03 '15 at 09:28
  • You probably have some saved credentials somewhere that have expired and is causing your account to get locked out sporadically. (Don't forget to check email clients on smart phones) – Brandon Xavier Sep 03 '15 at 10:08
  • Its a possibility, although that wouldnt explain why I can enter the details several times and eventually it will let me in. My account has never shown as locked in AD either. – Digital Lightcraft Sep 03 '15 at 10:17
  • Assuming you have multiple DCs, you could be getting locked out on one, and looking at your account to check for lock out on another before it has replicated (just a wild hunch). – Brandon Xavier Sep 03 '15 at 10:22
  • 2
    possible duplicate of [Finding why a user is locked out in Active Directory](http://serverfault.com/questions/65265/finding-why-a-user-is-locked-out-in-active-directory) – EliadTech Sep 03 '15 at 13:30
  • Not as such, I am not being locked out in AD... – Digital Lightcraft Sep 03 '15 at 13:36
  • 4
    Best practice for administrators is to **not** use a domain admin account for day to day work. Admins should have _two_ accounts: a regular user account for day to day work, and a domain admin account (one per admin for auditing) that is used only when needed. – Joel Coel Sep 03 '15 at 13:40
  • I do actually have a standard user account ues, however 99% of the time I'm DOING domain admin stuff, so it very rarely gets used... – Digital Lightcraft Sep 03 '15 at 13:41
  • 4
    I can't agree with Joel Cool any more strongly. This isn't an answer to your question but I felt a need to make a comment. If you're using your day to day user account to perform domain administration you are doing it wrong. It doesn't matter to me how much of your time is spent performing administration, you should be using a separate named account for that. The account that you log onto your workstation with should be a standard user account. My suggestion would be to create this separation of accounts and then see if the lockouts continue to occur, with either account. – joeqwerty Sep 03 '15 at 14:21
  • Check my answer over [here](http://serverfault.com/a/580114/174813) and see if it helps. – Katherine Villyard Sep 12 '15 at 00:59

0 Answers0