16.5. Troubleshooting Account Lockout Problems


A user is having account lockout problems and you need to determine where it is getting locked from and how he or she is getting locked out.


Using a graphical user interface

LockoutStatus is a new tool available for Windows 2000 or Windows Server 2003 that can help identify which domain controllers are locking out users. It works by querying the lockout status of a user against all domain controllers in the user's domain.

To determine the lockout status of a user, open LockoutStatus and select File Select Target from the menu. Enter the target user name and the domain of the user. Click OK. At this point, each domain controller in the domain will be queried and the results will be displayed.


The Lockoutstatus.exe tool is just one of many that are available in the new "Account Lockout and Management" tool set provided by Microsoft. These new lockout tools are intended to help administrators with account lockout problems that are very difficult to troubleshoot given the tools available under Windows 2000. Along with the tool mentioned in the Solution, here are a few others that are included in the set:


A script that uses this DLL is included that can enable logging of application authentication, which can point out if an application is using bad credentials that cause account lockouts.


Displays services and shares that are using a particular account name. It can also print all the ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.