Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Shan Younker
Shan Younker Author
User level: Level 1
120 points

Active Directory Account Lockout

Some of my users are having issues with their Active Directory accounts becoming randomly locked out. The user has not input their password incorrectly and other applications have not requested a password. It is happening on both 10.3.9 and 10.4.8 computers.

This issue is documented over at AFP548 also and no solutions have been posted.

Unbinding then binding the computer to AD also has no effect.

What appears to be happening is the AD plug-in, for whatever reason, is attempting to login a user who is already logged in, but the plug-in is not sending a password. After a few failed attempts by the plug-in, the account is locked.

G5, Mac OS X (10.4.8)

Posted on Dec 19, 2006 10:53 AM

Reply
3 replies
User profile for user: tjbud
tjbud
User level: Level 1
0 points

Jan 11, 2007 4:23 PM in response to Shan Younker

Hi Shawn,

I'm seeing this too.

A couple of my users are getting locked out after one attempt even though the policy is set to 6 bad attempts. Or sometimes Entourage will show "not connected" even after successfully connecting a half hour before.

Deleting the Directory Services folder worked temporarily but eventually the user gets locked again.
I've spoken to some Entourage engineers at Macworld who said to try unbinding and applying the latest update 11.3.3, but no luck there as I was able force a account lock after one bad attempt. They also mentioned they have not seen stuff like this since the 11.2xx update or before if I recall what they said.
On the flip side, on a PC, I can try several login attempts with bad passwords and no lockout occur. So the question is, where is the problem originating from? Entourage or OS X AD plugin? Or both?

Like you, I see some postings about it, but no concrete answers. Are people seeing it and just dealing with it by unlocking a user's AD accounts? That's a pain in rear for some people who get locked out every day or a couple of times a day.

MacBook Pro Mac OS X (10.4.8)
Reply
User profile for user: Shan Younker
Shan Younker Author
User level: Level 1
120 points

Jan 16, 2007 8:37 AM in response to tjbud

I've tried a solution that seems to be working. Originally when I bound our macs to AD I was binding using the user's AD ID for the Computer ID. I read that this can cause issues with the AD plugin. Our IT dept uses a 6 digit ID for each user, XYZ001, XYZ002, etc. It turns out the Computer ID you bind with is somewhat arbitrary. AD will create a new container if the ID does not exist. I've begun prefacing each ID with 'MAC_', ie MAC_XYZ001, MAC_XYZ002, etc. This has significantly reduced the number of lockouts. I still have one machine that is having some lockouts, but the others have stopped entirely. I'm not aware of any implications on the AD side that using a different ID might cause.
Reply
User profile for user: tjbud
tjbud
User level: Level 1
0 points

Jan 16, 2007 10:09 AM in response to Shan Younker

Shan,

I think I read that somewhere else too. I was binding with userID_serial number. Now I'm just binding with the serial number. Also, I'm having the user log into the machine with the domain name in there---- i.e. Acme.com\jwong instead of just jwong. Our security team looked at the AD logs and saw that the user was getting locked out of our domain and not via the exchange servers so he thought we could try this and see what happens.
Reply

Active Directory Account Lockout

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up