Unlocking an ad user on a notebook disconnected from AD

0

my colleagues and I are facing a concrete problem with a user on a business trip. I try to describe it as generic as possible to comply with superuser's policies. Unfortunately I couldn't find my scenario documented in any form on the after googling 1 hour in both English and German.

Scenario is as follows:

  • A user (person) is on a business trip (outside of the company) and locked his AD user account on his notebook by entering wrong credentials three times in a row. The user only uses the AD account on his notebook. He doesn't have another local account.
  • The user (person) knows the correct, current password, that was set with said notebook when he was on site. The password can successfully be used for other services.
  • Our AD controllers are available locally via LAN only
  • The user (person) hasn't got any means of VPN to connect "home" into the office.
  • The user now cannot log into his notebook at all.

Technical information:

  • AD is Win 2008 R2 based
  • Notebook is Win7 Enterprise
  • User profiles are stored locally, yet they are still AD profiles, not local users.

The possible solutions we thought about all lead to road blocks of some sort:

  • Giving out the local admin password: Would allow him to access the PC but not his account with Mail etc., he also wouldn't be able to unlock his profile via the admin logon, since AD accounts aren't managable via lusrmgr.msc.
  • Setting up a VPN for him is not possible, because this requires a physical Token he doesn't have
  • we could give out the admin password and instruct him to set up a remote solution, like TeamViewer, but what would we do on the machine?

For the future we will change our PW policies (which are decades old) to a more up to date best-practice approach (raising the wrong input treshold to 50 minutes, etc.) to avoid situations like this but the above scenario is still real and I would like to solve it somehow.

Thank you for your input in advance, really appreciated.

modmatt

Posted 2016-04-27T08:00:23.987

Reputation: 23

If his Notebook is not connected, he can't log in with the last working password? If his user is also a local user, he can log in as admin an unlock his local user account. – edumgui – 2016-04-27T08:41:56.837

Thanks for your comment. Correct, the user mistyped his password three times. He cannot logon with the password he completely remembers and succesfully uses for other services. Unfortunately he doesnt have an additional local user account on his device. I updated my question to incoporate your feedback. – modmatt – 2016-04-27T09:28:23.477

I'm sorry but there is something I can't not understand... How could he lock out the account if there was no connection to your AD?? – edumgui – 2016-04-27T09:49:08.777

what @Santeador said just now is what im thinking. I have never tried to reset a password with the net user method through admin cmd would it be possible since he is not connected to the .AD anyways? I May setup a VM when I get home and play with this. – NetworkKingPin – 2016-04-27T09:50:59.667

The exact message from Windows to the user is "the account is locked out"? – edumgui – 2016-04-27T09:57:43.493

Good input from everyone involved! Thx so far. I tried to replicate the scenario myself. I unplugged my own notebook from all network connections and tried to get my account locked by entering wrong passwords several times. Besides an increased delay between entering the password and the response from the OS, nothing happened in terms of locking out etc. So I now suppose, that the user somehow got his account locked the minute before he left the office. The exact wording of the error message is not 100% clear as the user is traveling in China and can only communicate via text message. – modmatt – 2016-04-27T11:56:19.793

It doesn't matter. Windows store last password for non local users, just to allow them to keep log in if they have not access to AD. Nowadays W10 does the same with Microsoft accounts, if you change Microsoft account password in other device/(web)service and the computer has no Internet access to validate, you have to log in with last password. That's why I think there is a PEBKAC problem... – edumgui – 2016-04-27T12:48:06.163

Maybe, the user plugged in a RJ45 or setup Wi-Fi and know Windows is saying this: "There are currently no logon servers available to service the logon request". So the user can try to unplug RJ45 and disable Wi-Fi before trying to log in. – edumgui – 2016-04-27T12:52:49.373

The message on the screen was verified in a call to be the exact same message you get, when the account is properly locked. We haven't found any solution to grant the user access to his original profile and then resorted to the way Kareem suggested below. Thanks to anyone involved in this question! – modmatt – 2016-04-28T06:19:02.727

Answers

0

in my company, we faced the same scenario and what we did is our system team unlocked the account from AD https://blogs.technet.microsoft.com/askds/2013/10/01/locked-or-not-demystifying-the-ui-behavior-for-account-lockouts/

and the user loged in using local admin and accessed OWA for the emails

Kareem Adel

Posted 2016-04-27T08:00:23.987

Reputation: 32

Thank you for your response. This is what we resorted to as well. The user accesses the notebook via local admin now and can access the data on the hard drive. One thing I like about your answer is the link provied. Although I know how to unlock users and how to read the UI, I never came accross the Active Directory Management Center. Just tried it and I love it. Thanks! – modmatt – 2016-04-28T06:14:59.203

Asked: 2016-04-27T08:00:23.987

Viewed: 42 times

Active: 2016-04-28T04:21:36.353