Account is locked out, but its not...

[Qman61832]

Here is a fun one that has been driving me to extremes today:
We have a Windows 2000 Server that has user shares located on it. Last week I mapped everyone's H drive to the new server, and life was good.
Today (Monday, of course...) I have one user (UserA) who cannot access her H drive on the new server, and is getting an error that says "The referenced account is currently locked out and may not be logged on to."
If I log in as a domain admin on her workstation, I can access her folder just fine. If I UserA in at other workstations, it still fails. I know it has something to do with her user account, but I have reset her password, had her shut down and re-login, but nothing works.
I have also double and triple checked the permissions on her folder, even going so far as to allow Everyone full access, but it is still not working.
There is one more twist to this problem - in the finance department (where she works) they frequently share their passwords for some stupid reason (I have warned against this since day one...) This morning one of the other girls (UserB) logged in with UserA's password to print some reports. As it so happens, UserB saw the "Your password will expire in X days, do you want to change it?". UserB said no, finished the login and ran her reports while logged in as UserA. UserB then stayed logged in as UserA for about two hours. Unfortunately, when the REAL UserA got here and logged in, she also got the "Change password?" prompt and DID change her password. From what I can tell, I had UserA logged on at two workstations, with two different passwords, and now nothing I do seems to fix the "Account locked out" issue. Am I just stuck with giving her a brand new login or is there some hope for me?

Thanks!

 

[Qman61832]

Sorry, I forgot to mention that her workstation is a Windows NT 4.0 SP6 workstation. I have tried her account on multiple NT machines as well as a Win2K machine...

 

[Davetoo]

Go to your Active Directory Users and Computers and find User A's account. Go to the Account tab and you'll see a check box saying "Account is locked out". Uncheck that box, then have User A logoff from any workstation she's logged in from, then log back on.

Here's another tip as well. Anytime your users change their password, have them immediately log off and log back on with the new password. I've had a lot of problems where the users will change their password when prompted, but will have their accounts eventually locked out during the day. It's not supposed to do that, but what can I say...it's Microsoft.

 

[Qman61832]

When I go to UserA's account in AD the box for "Account is locked out" is not checked - that's what is driving me crazy today.
UserA can log on, check email, access shares on another server, etc. but we are unable to map a drive to the share on the new server.

 

[Davetoo]

Is the target computer a member server? or a DC? It sounds like there's a secondary account somewhere that is causing the confusion.

 

[Qman61832]

It is supposed to be a DC - or at least a Windows 2000 version of a BDC. I am in the process of replacing our original server which has been around since the dawn of time and want to make sure that the new machine is stable enough to handle everything before I run the dcpromo.
When I look in AD Users and Computers under "Domain Controllers" I see the new servers name listed in there. I assume from this that it is a DC.
Also, I have about 5 other people that are accessing shares and print services on this new server without any problems. I'm pretty sure this is related to the multiple logon with different passwords issue this morning, but I cant seem to find a way to fix it.

 

[Qman61832]

I think I have figured it out, and its clearer now as to why she cannot access it. It would appear that there is a larger issue going on here that I was not aware of.
Heres what I did:
Used a password recovery utility on both servers to see what the server thought her password was...guess what? The old server has her new password, but the new one has her old password. Apparently (after digging further into the Event Viewer) AD replication is not working properly, even though it did previously - thus the new server with her shares is unable to authenticate her. I am getting a whole slew of Event ID 1265 in there...
I will post in here any results I find that may resolve this issue - Im pretty sure my DNS is working properly, but thats where Im going to look first.

 

[Qman61832]

I have changed my DNS settings on the new server, so hopefully that will update everything as time goes on. Does anyone know if there is a way to manually update Active Directory? I remember seeing a screen during the initial setup that showed the new server updating its copy of Active Directory but now I cant find a way to make sure that the replication is taking place.