none
"Account is Locked Out" Grayed Out in AD Account Properties

    Question

  • Hi,

    We're having an unusual problem.  This is a win2003 server based domain.

    "Account is Locked Out" is grayed out in AD Account Properties, even under our "uber" network manager's login.  What could be the cause of this?  Can anyone explain to me how to remedy this issue?

    netmgr account is a member of the following:

    Account Operators
    Administrators
    DHCP Administrators
    Domain Admins
    Domain Users
    Enterprise Admins
    Exchange Organization Administrators
    Schema Admins
    WSS_ADMIN_WPG
    Thursday, May 14, 2009 6:32 PM

Answers

  • Ainsof,
    The suggestion from Meinlof has its merits, however note that if you intend to eliminate the impact of the AdminSDHolder behavior, you would need to explicitly enable inheritance for the OU level permissions or explicitly reset permissions on the object. DACLs are not reverted automatically when an account is removed from privileged groups...

    hth
    Marcin
    Thursday, May 21, 2009 10:42 PM

All replies

  • This is normal behavior - the checkmark appearing in the box (that you could uncheck, providing that you have appropriate privileges) would indicate that the account has been locked out. As long as this is not the case, the checkbox will be grayed out...

    hth
    Marcin
    Thursday, May 14, 2009 6:37 PM
  • Just to clarify - since I might have misread your question - is the account you are referring to actually locked out?

    hth
    Marcin
    Thursday, May 14, 2009 6:38 PM
  • Hello,

    Login with an Enterprise admin account an unlock the account..
    Isaac Oben MCITP:EA, MCSE
    Thursday, May 14, 2009 6:57 PM
  • For more info on the subject, refer to a recent thread on this forum (http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/81d84286-ed81-4608-8f38-122e73a57644) that has been addressed by Tony Murray...

    hth
    Marcin
    Thursday, May 14, 2009 7:11 PM
  • Hello Just Another Newbie,

    so the field is checked and greyed out? Is that correct?
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to the Forum
    Thursday, May 14, 2009 8:36 PM
  • The account is actually locked out, but the option allowing one to uncheck it is grayed out. 

    The netmgr account is an Enterprise Admin account.  Bloody strange eh?
    Thursday, May 14, 2009 8:44 PM
  • Hello Just Another Newbie,

    what groups is the account member of, that you are using when trying to unlock?
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to the Forum
    Thursday, May 14, 2009 9:00 PM
  • Your ability to manipulate an AD object is based on the objects permissions.  Your admin account may be a "domain admin" or an "enterprise admin" but if it doesn't have permissions to the AD object, you will not be able to unlock it.  Domain/enterprise admins should have inherited permissions to all objects in the AD.  If this object is missing those permissions, someone/something removed them. 

    Within Active Directory Users and Computers (ADUC) click VIEW, then ADVANCED FEATURES.  Find the user object in question.  Right click and choose properties. Go to the SECURITY tab.  Click ADVANCED.  Verify the "domain administrators" and "enterprise administrators" have access to this object.

    If you DO have rights to the object, and you still aren't able to modify the "lockout" attribute, be afraid....

    Brian
    Friday, May 15, 2009 6:07 AM
  • Hi Brian,

    Thanks, that makes alot more sense.  I'll check the items perms this a.m.
    Friday, May 15, 2009 1:15 PM
  • Any update on those permissions? Just curious if that was the issue or if you found something else.
    ~~ Brian Hofmeister ~~
    MCP - Windows Server 2003, Network Infrastructure, Windows XP
    My Blog: Windows Server 2008 - Core Concepts: Getting Friendly with the command line!
    http://brianhofmeister.blogspot.com
    Thursday, May 21, 2009 2:28 AM
  • Hi Brian,

    Bad news,  Domain and Enterprise Admins both have "Full Control" perms on the account object and it's parent container. 

    Haven't had time to dig into this any deeper. 

    (HR around here seems to think *nix Sys Admin is synonymous with "windows end-user tech support / technical janitor" 

    Yes, *nix admin.  The last windows server specialist we had quit, and they're too cheap to hire someone more suited to handle the windows side of things.  Unfortunately, the one windows tech guy they have here knows less about AD than I do, and we're outnumbered 186 to 2.

    Thanks for your help with this.
    Thursday, May 21, 2009 5:17 PM
  • Hello ainsof,

    remove the account from the "Account operators" group, wait for replication of the change, logoff, logon and try again.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to the Forum
    Thursday, May 21, 2009 10:35 PM
  • Ainsof,
    The suggestion from Meinlof has its merits, however note that if you intend to eliminate the impact of the AdminSDHolder behavior, you would need to explicitly enable inheritance for the OU level permissions or explicitly reset permissions on the object. DACLs are not reverted automatically when an account is removed from privileged groups...

    hth
    Marcin
    Thursday, May 21, 2009 10:42 PM
  • Thank you , I'll give this a shot.
    Friday, May 22, 2009 2:01 PM
  • Hi Marcin,

    I'm afraid I don't understand what you mean by, "eliminate the impact of the AdminSDHolder behavior."  I'm not a windows server specialist.  Also, what is a DACL? 

    Thanks
    Friday, May 22, 2009 2:03 PM
  • As I mentioned earlier, you might want to refer to (http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/81d84286-ed81-4608-8f38-122e73a57644) - in particular, the response from Tony Murray. Let us know if you have any questions once you've reviewed it...

    hth

    Marcin

    Friday, May 22, 2009 2:09 PM
  • I know this is an old thread, but it was at the top of Google list and someone may benefit from my solution.

    A new user of ours ended up getting locked out due to our sharepoint server geeking out and not accepting logins properly.  Just like the original poster, when trying to log in via Windows, it did say the account was locked out, yet in ADU&C, the lockout field was greyed out.  I have full privilege over AD and had confirmed this through Effective permissions in the security tab.  User was not an admin in any way, so security inheritance was checked.

    Went into ADSIEdit and found that the lockout was one huge number.  I set this to 0 in ADSIEdit and the account was then unlocked.  I suspect the number in this attribute was so huge that ADU&C didn't know what to make of it and defaulted to not locked (greyed out).

    ADSIEdit is to Active Directory as Regedit is to registry.

    I hope this helps someone else in this unusual circumstances.

    • Proposed as answer by DanMan32 Tuesday, March 08, 2011 2:22 PM
    Tuesday, March 08, 2011 2:21 PM
  • Dan is the Man on this: ADSI edit confirmed a huge number in the lockout attribute - set to zero and it worked for me.

    JM

    Friday, August 17, 2012 2:08 PM
  • Hi Dan and Jose

    Some of our IT staff experience similar problem.  However, my account does not.   Would you send me the steps or the screenshot how to reset for lockout attribute in ADSI.  I can't find it.  I am using windows server 2008.  You are talking about the attribute number is huge such as ???? number.  Thanks.

    Monday, October 01, 2012 4:44 PM