Knowledge Base

Support Policies

Help Desk Cannot Lock User - Active Directory Data Store

SecureAuth IdP Versions Affected: All

Issue: Help Desk / Account Management page (ManageAccounts.aspx) does not lock/unlock a user account when using an Active Directory data store.

Cause: The most common causes to this issue reside Active Directory side, in the SecureAuth service account missing needed user access permissions and/or a non-configured Account Lockout Policy.

Resolution: If the help desk account management page returns an error message such as "Cannot lock" or "Invalid Access" when trying to lock a user account, the issue may lie in the service account's permissions. See our SecureAuth IdP Service Account Setup and Configuration Guide for information on how these permissions can be set.


If the issue persist, the Account Lockout Policy under the domain's group policy may need to be defined.
1) Open the Group Policy Management console in Active Directory, locate your domain Policy in the left-hand drop-down menu, right click the policy and select Edit.


2) From the Group Policy Management Editor go to:
Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy

3) Right click Account lockout duration and select Properties.


4) Check the Define this policy setting check box, adjust the "Account is locked for" interval to the desired time, and click Ok.



Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.