Why Do Domain Admins Keep Getting Locked Out on Windows RDS?

By
William Rossbach
-
0
16
Asked By TechSavvyGopher42 On

Last year, I migrated some Windows Server 2022 servers to 2025 and made the switch from ESXi to Hyper-V. To clarify the steps for the domain controller migration: I set up the new DC in Hyper-V, linked it as an additional domain controller, transferred the FSMO roles, removed the old DC, and then powered it down. It's a routine I've completed numerous times without issue. However, we have one Remote Desktop Server (RDS) that prompts for a relogin but only affects Domain Admins. This doesn't impact our work significantly, but the problem keeps resurfacing despite following the prompts. We've noted that there's a possibility this prompt shows up when logging into workstations, but it's not common for us to do so as Domain Admins, so I haven't witnessed it firsthand. I've looked into checking Kerberos tickets, which appear fine, but I'm open to exploring other solutions. Any advice would be appreciated!

4 Answers

Answered By LogsAreLife88 On

It's a bit concerning that you're using Domain Admin accounts for tasks unrelated to administration. Those accounts should be reserved for just that type of work. Ideally, you should create separate accounts for system management. It's safer and reduces the chances of lockout issues like this one.

Answered By TroubleshooterTommy On

I found some useful troubleshooting steps for lockouts: first, check the Security logs for Event ID 4740 to identify which computer is triggering lockouts. Consider clearing cached credentials with 'cmdkey' commands and removing any mapped drives that could be using outdated passwords. Also, ensure replication is on point with 'repadmin /replsummary' to avoid synchronization issues. If the problem persists, check GPO settings related to re-authentication, which might be forcing these prompts.

Answered By WisdomOnWheels On

Check if your Domain Admins are part of the Protected Users group. Members of that group have a max Kerberos ticket lifetime of 4 hours. After that, the system will prompt you to unlock your account to refresh the ticket. This could explain why you're seeing this prompt.

Answered By EventViewerExplorer On

Starting with the Event Viewer is a good move. Look at the System logs for the RDSH and the DC. Pay particular attention to the Directory Service log on the DC, as this might reveal some helpful clues.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.