Tony,
Account lockouts are most commonly caused by two things:
1. Users mistyping their passwords multiple times until the bad password count threshold is reached.
2. Users being logged on to more than one computer at the same time and then changing their password on one of the two computers. The other computer continues to use the old credentials of the user until the account gets locked out. Most of the time, the user does not realize that they are logged onto more than one computer.
To combat reason #1, we suggest that you set your account lockout policy to at least 10. If you require complex passwords in your domain, the odds of someone hacking a user's password in ten tries is astronomical. You have much better odds of winning the lottery. See if setting your account lockout threshold to 10 cuts down on some of the calls.
To combat reason #2, please install SP4 onto your domain controllers. SP4 has some updates to how bad password counts are incremented. In essence, it only increments bad passwords once if the same bad password is passed multiple times. So if your lockout threshold is set to ten, in order for that user to get locked out, they would have to type ten different incorrect passwords. If they type the same incorrect password 100 times, it would only be counted against them once. This should resolve the problem with users being logged onto more than one computer after changing their password.
I hope this helps.
Ray Lava
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights
We just implemented an Account lockout policy. It is set for 5 tries. Ever since then we have had a number of user's call every day to have their account unlocked. I know that we have some problem users. But it's hard to believe that all of these are legitimate. Some of them have called several times. Has anyone run into a problem like this?
