Forum Discussion
Admin account Lockout
Hi All - I have been asked to implement password chages ppoicy at a site we support. During this process I also setup account lockout policy after 5 invalid attempts The option Allow Administrator Account lockout was enabled and now when trying to login I have the message - The referenced account is currently locked out and may not be logged onto. We have only used the correct password to logon - but this still has happened and waiting 30mins does not sort this issue. Also, I have no other Administrator account for this Domain Server.
Does anyone have any suggestions on dealing with this ?
The Policy has the following settings -
Account Lockout Duration 30mins
Account Lockout Threshold 5 Invalid logon attemps
Allow Administrator Lockout Enabled
Reset Account loclout Counter after 30mins
- kyazaferrIron Contributor
Boot into Directory Services Restore Mode (DSRM):
- Restart the domain controller and boot into DSRM.
- During startup, press F8 to access advanced boot options, then select Directory Services Restore Mode.
- Log in using the DSRM password that was set when the domain was promoted.
2. Modify the Lockout Policy:
- After logging into DSRM:
- Open the Local Group Policy Editor by typing gpedit.msc.
- Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
- Disable the Allow Administrator Account Lockout setting or adjust the lockout duration and threshold to prevent further issues.
Reset the Locked Administrator Account:
- Use the Active Directory Users and Computers (ADUC) snap-in:
- Unlock the account manually:
- Open ADUC.
- Locate the administrator account.
- Right-click the account and select Properties.
- Uncheck Account is locked out under the Account tab.
- Unlock the account manually:
- If ADUC is inaccessible, use Command Promp
net user administrator /active:yes
net user administrator * # Reset the password if necessary. Restart Normally:
- Restart the domain controller in normal mode and log in with the administrator account.
- stuartsmithz87Copper Contributor
Policy cannot be changed as showing locked. Please see attached screenshot.
- stuartsmithz87Copper Contributor
Thanks for the reply Kyazaferr. This looks correct to put the issue right but the problem I am having now is getting into DSRM mode when i have no access to login to the server and choose msconfig or restart with the shift key etc. I have tried booting the VM using an .ISO Image and choosing repair my server which gets me into the recovery console but then this does not show startup settings for me choose and allow me to see safemode etc and to get into DSRM. Could you possibly suggest this to me also to allow access.
Thanks
Stuart
- kyazaferrIron Contributor
- Select Command Prompt in the recovery options.
- Run the following command to enable DSRM mode on the next reboot:
- bcdedit /set safeboot dsrepair
- Restart the server, and it should boot into DSRM.
- Once you've resolved the issue, revert the change using:
bcdedit /deletevalue safeboot
- stuartsmithz87Copper Contributor
Hi Kyazaferr -
I got all the way through to DSRM - went to local group policy gpedit.msc and the options to allow administrator Account lockout are greyed out and cannot be changed. If I try to open ADUC it says i need to be logged in with a domain admin account.
Any Idea's how to proceed ? is there anything in the registry I can do ?