Q. Why doesn't the read-only domain controller (RODC) GUI show that it locked a user's account after the user entered an incorrect password too many times?

A. By design, RODCs lock user-account access after a designated number of failed password-entry attempts to prevent accounts from being hacked when RODCs lose read-write-DC connectivity. Typically, read-write DCs update multiple attributes with the lockout status. However, RODCs only update the user account's lockoutTime attribute, which reflects the time the account was locked out. The lockoutTime attribute is stored in NT System Time format, which you can convert to normal time with the w32tm /ntte <value> command.

The RODC checks the lockoutTime attribute when a logon attempt is started. If the current time minus the lockoutTime value is less than the lockout-duration configured in the security policy, the RODC won't let the user log in.

The GUI tools look at the UserAccountControl attribute—not the lockoutTime attribute—to determine if an account is locked, which is why the GUI tools fail to show the user-account's locked status.

To unlock an account, you need to re-establish read-write DC connectivity. The read-write DC will replicate a 0 lockoutTime value back to the RODC and unlock the account.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.