Active Directory Woes

[malco1987]

Anyone here can help me out please

I admin a network for a company and recently (today) a user called complaining that there account was locked out, easy enough right... I launched active directory(AD) users and pc's and searched for user only to find that the account wasn't locked out so i told user to try again, but same message and still nothing in AD, so i went ahead and reset users password only to get "password incorrect"

So currently the user cannot login to any computer on the domain, but any user can login on the users computer...

I have tried,

Flushing DNS, reset TCP/IP stack and winsock, forced group policy update, scanned the pc with the companies endpoint protection software (came up with nada), removed users profile from problem pc and server (deleting users roaming folder and associated profile registry keys), removing and recreating AD Profile and last but not least leaving and rejoining domain...

Nothing has worked for me

I plan to comb through the event logs tomorrow but if push comes to shove i plan on creating a alternate account slightly changing the user name and migrating files but i don't like to be beaten so I am asking if anyone with any experience with such issues can at least point me in the right direction

[NOKIA 3650]

I'm no expert on the matter.....However

1. How many domain controllers do you have on the domain?
2. Are they replicating correctly?

From what you posted. The issue isn't with the PC, but the AD account itself (in my opinion).

I had a hiccup once with a user's PC where the keyboard mapping was set to a different "region" than the "region" normally use when normally logged into Windows. This caused an issue where the password had a "$" (Shift+4) and the other region inserted the "£" instead. For testing, keep the password simple. The physical keyboard itself can't be the issue since you say the same it true for other PCs on the network.

You didn't say if the account actually gets locked out again after multiple invalid password attempts (to confirm that the PC and domain controller are talking to each other in real-time).

[Dre']

Possible causes:

1. Replication issues: Is there any other AD within the site, It's possible their account might be locked on a particular AD but it hasn't replicated to all.
2. The user is choosing to log in to the local machine instead of the domain however the group policy still applies.
3. The user has a local login and a domain login using the same user name but different passwords.

Have you tried using the domainname\username?

and also from the account properties in AD,still check the unlock checkbox and apply.

You can also try disabling the account and re-enabling the account, was told this works when you have a Server 2003 hiccup.

[malco1987]

I'm no expert on the matter.....However

1. How many domain controllers do you have on the domain?
2. Are they replicating correctly?

From what you posted. The issue isn't with the PC, but the AD account itself (in my opinion).

I had a hiccup once with a user's PC where the keyboard mapping was set to a different "region" than the "region" normally use when normally logged into Windows. This caused an issue where the password had a "$" (Shift+4) and the other region inserted the "£" instead. For testing, keep the password simple. The physical keyboard itself can't be the issue since you say the same it true for other PCs on the network.

You didn't say if the account actually gets locked out again after multiple invalid password attempts (to confirm that the PC and domain controller are talking to each other in real-time).

Thanks for reply there are 2 domain controllers but AD is only running on the primary it wasn't the keyboard though, i remember having a headache like that once with a physical english keyboard running the spanish region layout lol

Possible causes:

1. Replication issues: Is there any other AD within the site, It's possible their account might be locked on a particular AD but it hasn't replicated to all.
2. The user is choosing to log in to the local machine instead of the domain however the group policy still applies.
3. The user has a local login and a domain login using the same user name but different passwords.

Have you tried using the domainname\username?

and also from the account properties in AD,still check the unlock checkbox and apply.

You can also try disabling the account and re-enabling the account, was told this works when you have a Server 2003 hiccup.

Thanks for reply
1. There are 2 domain controllers but AD is only running on the primary
2. The PC is running Win 7 so by default it assumes you are logging into the domain, to login to local account you have to use COMPUTERNAME\LOCALUSER
3. The user only has an AD login i don't allow my users to login locally they have to use there roaming profiles

No i didn't try domainname\username because of answer 2
The unlock checkbox was grayed out so it wasn't getting any requests from the PC
I never tried disabling the account but i did delete the AD account and recreate it, i think that would do basically the same thing


SOLVED
Your gonna laugh still well at least i did... I was uninstalling a security software from the server and apparently there was a default selection to turn on Windows firewall upon removal of the software and I didn't realise , how i figured it out was when i came in this morning and the dhcp scope on the backup domain was at 99% while the primary was at 2% it was not issuing any IP's at all ,. that's when i assumed the worst fired up event viewer and figured it out and shut that sucker off

still can't believe it smh

[khat17]

Glad you got it sorted out. Was going to take a stab in the dark and wonder if the profile got corrupted. But - glad you got it up.

[malco1987]

Thanks bro I appreciate it