Active Directory, Chapter 5 Troubleshooting User Accounts

Chapter 5 Troubleshooting User Accounts

Troubleshooting—every administrator’s favorite activity

This image belongs to original owner & we dont own any rights.

A) User- and group-related issues usually manifest as the user being unable to log

On or access resources such as email, a file share, an application, or a printer. The

Most common problems are

■ The user’s password has expired.

■ The user has forgotten the password and it needs resetting.

■ The user has locked the account, usually because they used the wrong password too many times.

■ The user isn’t a member of the correct group to access the resources.

B) A lot of the problems that the AD administrator needs to resolve are password-related issues.

C) Before thinking about any problem first check below things related to account issue.

i) Check to see if the account is disabled.

ii) Check to see if the account has expired.

iii) Check to see if the account is locked out

Note: – Account status can be checked using GUI tools & PowerShell Script.

D) Password expiry

  1. AD passwords need to be changed every 42 days by default.
  2. Most organizations modify but recommended is 30 days.
  3. You and your users will be prompted to change the password as the expiry date approaches.
  4. If the password has expired, the solution is to reset the password.

E) Password reset

  1. The other common reason for a password reset is that the user has been away from work and has forgotten their password.
  2. Resetting a password should be a user activity.
  3. There are a number of situations
  4. When an administrative reset of a password can cause problems; for instance, if you’re using Encrypted File System (EFS), a forced password change can lock users out of their own files.
  5. You can ask the users to change their password after they’ve entered the temporary one you gave them.

F) Unlocking a user account

  1. An account lockout occurs when a user enters the wrong password too many times in a short time period.
  2. The number of errors and the time period are defined in the default domain policy—common settings are three errors in 30 minutes, though many organizations use a shorter period.
  3. Once an account is locked, it’ll remain locked for a time period defined in the policy (often 30 minutes), or in the worst case until an administrator (you) unlocks it.

Please note: – Once you change the password for user with Temporary one kindly ask user to change the password immediately of their own choice. (Recommended Approach)

User account locked out:-

Reset a User Password:-