Remote Desktop locks user account on Password Change

Question

We maintain a Terminal Server on our network for our remote office and occasional third party vendors to connect in to. Our windows network active directory has the standard windows password requirements (i.e. 3 out of the 4 character types, expires every 3 months, can't reuse password, etc.)

What I am noticing is that when someone logs into the remote server and is prompted to change their password, it does change the password but then it immediately locks their account. I then need to pop into the AD and unlock them before they can use it again, which is problematic for both offices.

Is there a setting that is causing this? Something I can disable. I do not want to turn off the password rules, or set up all these users with passwords that never expire if I can help it.

TIA

Answer 1

I wish I can comment, but since I can't I'll have to put this as an answer.

I'll take a look at the LockOutStatus (http://www.microsoft.com/en-ca/download/details.aspx?id=15201) and see which DC that user is locked out on. It could be that the user resets their password on one DC then they are authenticated against another. Depending on how long your DC replicates with each other, that user might be authenticating against a DC that have not gotten the new password.

I would check the status on the replication by doing :

repadmin /replsummary 

on a DC.

Perhaps increasing the frequency of the replication between DC to more frequent (http://technet.microsoft.com/en-us/library/cc730954.aspx) or AD sites and service is not configured properly with the subnet and sites (http://technet.microsoft.com/en-us/library/cc754697.aspx).