Well, this is another one that seems simple to fix with the options you get in Active Directory, lets set the scene, you have updated your password inline with your company policy and since then you are being locked out - and you wonder why?
Lockout 101 : Event ID 4740
Well, the first port of call should be the Security Event ID 4770 on the Domain Controller with the FSMO role "PDC Emulator" as this will need to log all the lockouts, so this is a good place to start, that will look like this when you filter it:
Query the RDP session on the server
This will tell you that in this instance the user lockout.user has been locked on the server "PRESKYRDPSESSION" and this is because the user has not logged off the session, which sounds simple but lets look further, this is an active session using the query command:
query session /server:beardc1
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
console 1 Conn
rdp-tcp#54 admlcrouc2 6 Active
rdp-tcp 65536 Listen
Disconnecting not logging off ?
You can clearly see my session above (the one in bold) and it is "Active" which means I am using it, however when I have finished with my session if I end my session like this:
I then get this dialogue, and if you do not get this it means you have ticked the "Don't display this message again" and this is where your fault lies, and this will put you session in a disconnected state, it did warn you......
If I run that same command again, you will now notice the status is "Disc" for "Disconnected" this is not a good place to leave you account as it is still logged into the server only disconnected.
services 0 Disc
console 1 Conn
rdp-tcp#54 admlcrouc2 6 Disc
rdp-tcp 65536 Listen
reset session /server:beardc1 6
Logoff the server correctly
Then when you run that command again you get this, after you have logged off as you should have done to start with, notice you session is not there:
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
console 1 Conn
rdp-tcp 65536 Listen
Right, this only covers one server what about all the others, well that is also simple to fix, from the ADDS users and computers, open the user in question, and then select the Session tab as below:
This will show you the default RDP session timeout and reconnection settings, notice these are set to Never for "end a disconnected session" and "Active limit" and "Idle session limit" and the default apply action is "Disconnect from session" - so this particular example this is all wrong as you can see.
This is the reason the session remains disconnected and an account lockout occurs when they change their password, so lets update this to new values as below:
This update will then mean that 30 minutes after being disconnected the session will end rather than disconnect, however this will only apply to new RDP sessions not existing disconnected ones, but this will stop a reoccurrence in the future.
Cavet : Advice only works for new sessions
If you are already locking out then you will need to trace all the lockouts via the Event ID 4740 to ensure you have properly logged off all the servers you have used and where you account is disconnected.