If you are running NT4 domains, make sure all your DC's have not run into max registry size limits. NT4 has a neat feature in that when the max registry size is reached the BDC will load an older version of the SAM that won't exceed the max registry size. The older version of the SAM may have the older password in it.
Also, when you say you relogged on, do you leave your workstations locked with this account, or do you log off them? Do you have any network drives mapped when you do logon with this account? Lastly, make sure all your BDC's are synchronizing correctly. Use the dommon utility, which I think is from the RK to check, or use the CLI netdom query to check the BDC's status. Then force a sync on the domain, wait for a minute or so, change the password on the account and force another synch. Passwords should synch immediatly, but if the account is logged on a machine and is using network shares, it can cause an immediate lockout. Also, you should restrict who uses the admin account. There should be a very select group of people who have access to the account. Any admin functions you need to do on any server, should be done through your personal Domain Admin account. This will increase your ability to audit who is doing what on the servers. If 20 people have the admin account credentials, then you don;t know who is using it for what. If you need accounts to run services, create new accounts, and give those accounts only the permissions they need to do their job. If a server needs to remained logged on because an application cannot run as a service, create a local account on that machine to run the application under, if the account doesn't need network access, and limit who knows that account. Best of luck, sounds like you have some work ahead of you. Paul -----Original Message----- From: Alex Tarata [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 11, 2003 10:42 PM To: [EMAIL PROTECTED] Subject: Account lockout Hi all, Im not sure if this is the right place to post this but anyway here it goes: recently at our organization we have changed an admin password on the domain controllers and we had to reboot all the servers involved and relog them with the new password. All went good apart from some small things we have managed to solve. The problem occured when some guy changed the password on the DCs again thinking the password was wrong. When he found out that the password was indeed right he changed it back to what it was initially. Now we are experiencing problems with account lockouts very often. What I am thinking is that the servers might need to be rebooted and relogged with the password AGAIN. Is this true or should I look for another cause of the lockout ? Just to make more clear what we did when we changed the pass is: we changed the pass on all the scripts using that account, checked all the services using that account, checked all the web, SQL services that could be using that account and also the scheduled tasks. But obviosly there is something wrong as the account is still being locked out. If you have any ideas please mail me as this is very important and I am running out of ideeas. Regards, Alex