Lync client locks out AD-account

Often the Lync client locks out the AD-account.

Anyone who have experienced the same?

June 17th, 2011 7:31pm

If you supply the wrong credentials then you will lock out your AD account. You must be using an incorrect password.
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2011 7:37pm


Can you please explain how the Lync client ended up locking out the AD account? In a normal situation, Lync 2010 automatically starts and logins after a user successfully signs in with his/her AD account to a domain-joined Windows machine. It is likely that the sign-in address in Lync has been changed where the "Save my password" was checked and does not match the newly changed password in AD.

Please share with us if this helps. Thanks!

 

June 18th, 2011 12:51pm

Hi, BanPhe,

Any update?

   In addition, please refer to this document Enable or Disable Users for Lync Server 2010. Hope useful.

Free Windows Admin Tool Kit Click here and download it now
June 21st, 2011 7:54am

I have had several people complain that Lync was locking their account.  They claimed this because Lync kept prompting them for credentials.  What they were actually seeing is that when their account would get locked out, Lync would prompt for correct credentials so it could connect to Exchange.  Since they were seeing Lync pop up, they assumed it was Lync that was locking the account, but it was not.

June 21st, 2011 5:27pm

I have had several people complain that Lync was locking their account.  They claimed this because Lync kept prompting them for credentials.  What they were actually seeing is that when their account would get locked out, Lync would prompt for correct credentials so it could connect to Exchange.  Since they were seeing Lync pop up, they assumed it was Lync that was locking the account, but it was not.

Free Windows Admin Tool Kit Click here and download it now
June 21st, 2011 5:27pm

In certain organizations, the Lync client would have saved credentials and the Lync client would request to have the password changed if the AD account requires a password change. I have certain administrative rights in the organization I work for so I log in with one account and use my exchange account to log into Lync 2010 client. Every 3 months my Lync has an error that that it cannot connect to exchange but yet it logs in and works properly. I have discovered to solve this issue, on Windows 7, I have to:

del C:\Users\%userprofile%\AppData\Roaming\Microsoft\Communicator\*.*

del C:\Users\%userprofile%\AppData\Local\Microsoft\Communicator\*.*

and delete the reg key: HKEY_CURRENT_USER\Software\Microsoft\Communicator

This would re-install Lync 2010 when executed and the problem would be sorted.

Perhaps this would solve the account lockout problem?

March 5th, 2012 2:53pm

In certain organizations, the Lync client would have saved credentials and the Lync client would request to have the password changed if the AD account requires a password change. I have certain administrative rights in the organization I work for so I log in with one account and use my exchange account to log into Lync 2010 client. Every 3 months my Lync has an error that that it cannot connect to exchange but yet it logs in and works properly. I have discovered to solve this issue, on Windows 7, I have to:

del C:\Users\%userprofile%\AppData\Roaming\Microsoft\Communicator\*.*

del C:\Users\%userprofile%\AppData\Local\Microsoft\Communicator\*.*

and delete the reg key: HKEY_CURRENT_USER\Software\Microsoft\Communicator

This would re-install Lync 2010 when executed and the problem would be sorted.

Perhaps this would solve the account lockout problem?

Free Windows Admin Tool Kit Click here and download it now
March 5th, 2012 2:53pm

Hello

Well this seems to be a common theme.  We to are having some of the same systoms.  We have Ex 2010 and Lync 2010.  We have people who get constantly locked out ramdonly out of nowhere.  Now I've never had this happened to me but my users are experiencing this problem.  We've called MS and they are saying that it's our Kemp load balancers but Kemp is saying that it is MS.  Now we have recently migrated from Exch 2007 to 2010 but who knows if that had caused this problem.   UGH!

April 26th, 2012 11:46pm

This is more pertinent than the item above that is CURRENTLY marked as the correct answer. I knew there had to be some other bit of remaining content from the uninstall that was causing one of my users to continually lock. That .dat file in the appdata folder was it! Thank you!

While I'm here though - seriously? One guy says "Lots of people say lots of things about Lync... and they're wrong." and the admins of this site are like "NAILED IT!". Give him a cookie, a juice box, and his complementary "Windows 8" propeller-cap... Weaksauce. Lync can (and was) most definitely the cause of our user's lockouts. I watched the account sit, without issue for HOURS and then - user opens Lync and bam!

For shame, Technet Admins... for shaaaaaame. 

Free Windows Admin Tool Kit Click here and download it now
June 26th, 2012 10:25pm

Ghentry's response is absolutely not the correct answer. Every single morning over the past few weeks, Lync has locked my account. And it is easy to maintain if Lync is culprit. Just sign off lync. Make sure you AD account is not locked. click the sign in button on lync's client. Notice that it pops up the login form. Check you AD account... It is locked. So Lync is "guilty as charged"! 

The reason is (as someone correctly mentioned above), you changed your password but you had the Lync's "Save my credentials" checkbox checked. So Lync is using your old password and hense it fails to authenticate against the AD count. However in defence of Lync, the locking is not due to a bug in Lync. This happens with any app that offers the "Save my Credentials", e.g. Outlook, scheduled tasks, etc. 

How to fix it:  1) ensure that your AD account is not locked. 2) click the Lync's "sign in" button. Warning: this my lock out your account. 3) Again ensure that your AD account is not locked. If it is unlock it. 3) fill out the login box,*UNCHECK* the "Save My Credentials" and click OK.

Hope this helps.

Regards

Nasser. 

October 15th, 2012 4:53pm

I think I may have found the cause, at least in our case:

Lockouts are indeed generated from PC itself, I checked that and it happened as soon as Lync was started.

However, it was not Lync that was to blame in our case, it is the finger print logon software that is the cause for the lockout events, as it probably is still using the old stored password.

The software needs to be matching the new password also, so please change that from within windows, in that fingerprint software istself also, after each windows password change.

After logging on to windows with user ID and password instead of her finger, Lync no longer locked her AD account.

Well, for what it's worth. Things are not always what they appear to be :-)

I'm sure this is not the solution to many of your cases, but I just wanted to indicate a probable cause and also that even though it appeared to be Lync that was causing it, in the end it wasn't.

Free Windows Admin Tool Kit Click here and download it now
October 18th, 2012 12:20pm

WinXP SP3 domain joined  /Lync Client 4.0.7577.0

few users had experience repeat account lockout after password was reset.. account stays unlocked if lync is not launched but when it auto starts on logon or user try to open it, you get prompt for credentials.. by that time account is locked out again

even if user types his new password and or reset his password again and "uncheck" do not save my password.. it does not work

things i tried with no luck

-delete personal cert from machine

-delete all files under local settings\appdata\microsoft\communicator

-set savepassword key to 0

 are there cached credentials stored somewhere else in registry? is there something to do with this specific lync client ver. perosnally i have not seen it on my machine and with my account.. i have most recent client update but general users are still running old ver. newer client will be deployed with win7

Thanks

  

June 6th, 2013 11:19pm

Hey HeadRush,

did you ever get this sorted out?

I'm seeing a similar issue, though it's only when we turn on the Exchange Sync in Lync 2010 (Options | Personal | Personal Information Manager) from a remote location.

E.g. we quite happily have it turned on for our internal, domain joined, desktops in the office. However there's few of us who work from home and have Outlook2010 and Lync2010 installed on our personal, non-domain joined, desktops/laptops.  It's on these machines that as soon as Exchange/Outlook sync is turned on, three bad password attempts are made and our accounts are instantly locked out.

I've run NetMon, but it's all over TLS so I can't see anything useful.

I'm going to give Jade's advice a go and see if that helps.

Late'ish
Craig

[Update]

Tried deleting the contents of those folders and the Reg key, but it failed straight away again.  I wonder if it's using my local (non-domain) credentials, instead of the ones I've typed into Lync/Outlook....

Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2013 8:37pm

Hey HeadRush,

did you ever get this sorted out?

I'm seeing a similar issue, though it's only when we turn on the Exchange Sync in Lync 2010 (Options | Personal | Personal Information Manager) from a remote location.

E.g. we quite happily have it turned on for our internal, domain joined, desktops in the office. However there's few of us who work from home and have Outlook2010 and Lync2010 installed on our personal, non-domain joined, desktops/laptops.  It's on these machines that as soon as Exchange/Outlook sync is turned on, three bad password attempts are made and our accounts are instantly locked out.

I've run NetMon, but it's all over TLS so I can't see anything useful.

I'm going to give Jade's advice a go and see if that helps.

Late'ish
Craig

[Update]

Tried deleting the contents of those folders and the Reg key, but it failed straight away again.  I wonder if it's using my local (non-domain) credentials, instead of the ones I've typed into Lync/Outlook....

  • Edited by Craig Humphrey Wednesday, July 03, 2013 12:43 AM Jade's suggestion failed.
  • Proposed as answer by Lyncster Friday, October 11, 2013 6:35 PM
  • Unproposed as answer by Lyncster Friday, October 11, 2013 6:35 PM
July 3rd, 2013 3:35am

We have had the lockout issue as well.  The solution is as follows:

1) Disable PIM within Lync to ensure the user is able to work if the solution cannot be done on first touch.

2) Unlock the users AD account

3) Exit Lync

4) The Lync Administrator needs to remove the user certificate via the Lync Console.

5) Delete any cached credentials listed under "Generic Credentials" in the Credential Manager in the control panel.

6) Restart Lync (If prompted again for exchange credentials, have the user enter their current credentials for AD)

Lync 2013 September CU includes a proxy patch that seems to relate to this problem.  Not sure if Lync 2010 got the patch or not.

Free Windows Admin Tool Kit Click here and download it now
October 11th, 2013 9:41pm

Thanks Lyncster, I am going to give this a shot. When you say "Disable PIM within Lync" could you elaborate?
October 17th, 2013 4:31pm

Just want to share that unstalling Lync 32-bit version (and deleting all the "Communicator" Windows Registry entries) and then re-installing Lync 2010 64-bit version (on Windows 7) has resolved the recurring AD account lockout issue for me (after having tried other different options many times over months, which did not resolve the issue).


Free Windows Admin Tool Kit Click here and download it now
January 24th, 2014 4:21pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics