none
Locking Out Domain Accounts

    General discussion

  • Hey all,

    I have searched and cannot seem to find my exact issue.

    We have two different deployment environments; one for server and one for desktop.

    When the techs try to image up a server, they go through the same process as with desktops. They are prompted for their credentials and everything goes through fine. There is one issue, though,aAfter the imaging is done, they go back to find out that their domain accounts were locked out. This ONLY happens when they do an MDT deployment.

    I researched this and found one article from Niehaus where he said there was an issue identified with BIOS time not being synched. Kerberos identifies this as a bad password etc... However, it has been confirmed that the time is syched properly.

    Are there any other ideas as to what may be causing this? The Desktop side is fine, no lockouts.

    Any help is greatly appreciated.


    "The test of success is not what you do when you are on top. Success is how high you bounce when you hit bottom."



    • Edited by ashtona74 Wednesday, March 14, 2012 6:50 PM
    Wednesday, March 14, 2012 6:48 PM

All replies

  • Couple of things - What is the current account lockout policy? - By default every server gets installed in PST timezone, have you automated the timezone to your area? After install is the time zone correct? - When you build the servers, are promoting them to a DC? - When you are building servers, are the credentials used during post configuration and as a service account etc? - Have you tried creating a fresh account and with required permissions and minimum group memberships as compared to the techs? Does this help? - Lastly, you can use the account lockout tools and look at the security event logs for events (529, 644, 675, 676, and 681) which can help you identify what resource was being accessed due to which there was a account lockout. Account Lockout Tools - http://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx I would start by creating a fresh account for testing.

    Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"

    Thursday, March 15, 2012 8:30 AM