General discussion


Account Has been Disabled

By sevenelevenph ·
here is our scenario:
On Windows XP professional only. . .member of domain (Win2k Advance Server).

There are so many instances that we could not logon to our computer becuase the account has been disabled message appear. Windows 2000 are not affected.

Resolution: login to local account and re-add the computer to the domain.

do we need to upgrade to Windows Advance Server 2003???

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by Joseph Moore In reply to Account Has been Disabled

>do we need to upgrade to Windows Advance Server 2003

Nope. It would be nice, but you don't NEED to.

You need to figure out what is running on the XP boxes that is locking out the user accounts. I've dealt with this myself, so I have some suggestions on where to look.

1) Check out the Scheduled Tasks on the XP boxes. Jobs in Scheduled Tasks all now can run under any account, including a user account (used to be in the NT times with the AT command, all jobs ran as SYSTEM). If you set up a Scheduled Task to run under your user account, you have to type in the password for the user account. THEN later on, if the password for that user account is changed on your domain controllers, the saved password for the Task is NOT changed. Scheduled Tasks keep the password as typed in; those passwords do not change when a password is changed on a DC. Therefore, when the Task tries to run, it starts up and tries to run as the user account with the wrong password. This will fail authentication, since the password is different. When the Tasks fails a few times (depending on what your Account Lockout is set for), then the user account is locked out.

Collapse -

by Joseph Moore In reply to

2) Same thing for Services. You can configure a Service to run under a user account, and the password for the user account is typed in at this time. The same problem happens here. The password for the user account is changed on the Domain Controller, but the Service does not change the saved password it has. Then when the Service tries to start up (like when the XP machine is turned on in the morning), the Service starts up, tries to authenticate the password for the user account, and this authentication fails. This counts as a bad login attempt for the user account. If you have a few Services all set up to run under the same user account and ALL of these Services have the old password, then they will all fail; then when the user tries to log in, they get the Account Locked Out message and can't log in.

Collapse -

by Joseph Moore In reply to

So, check out the XP boxes, in Services and in Scheduled Tasks. See if the user account is anywhere listed in running them. Change the account to something else (like LOCALSYSTEM for the Services, or the local Administrator account for the Tasks), and see if that stops the user lockout.

hope this helps

Collapse -

by adasys In reply to Account Has been Disabled

I had this experience before but both in Win2K environment. I have search to MS kbase(i forgot the link already) and they advice to upgrade the server and client to at least sp3. I did work. Maybe your problem is related.

Collapse -

by sevenelevenph In reply to Account Has been Disabled

Our DC controllers are running under SP4 already and all patches were updated from the internet.

One more thing, I've seized all the master role from a defective server using the NTDSUTILS command, im trying to remove the defective DC controller which previously holds all the operations master role, the message is "DSA object cannot be deleted". I want to delete the server but it wont allow me. THe DOmain Naming Master also cannto be contacted. Oh boy, this is what we called "DISASTER"

Related Discussions

Related Forums