Resolution
Directory and Resource Administrator 6.x
fact
Directory and Resource Administrator 7.x
symptom
The 'Account Lockout' status is not reflected correctly in the Directory and Resource Administrator client interface.
symptom
Directory and Resource Administrator client interface does not show a user account as being unlocked even though the account is not locked out.
cause
Directory and Resource Administrator (DRA) connects to one domain controller to read and write changes to the Active Directory or SAM. The 'Account Lockout' flag is not a cached property. DRA queries the domain controller in order to determine the status of this user account property. The information displayed in the DRA client interface is the current status as reflected by the domain controller.
fix
The 'Account Lockout' property should be replicated to all domain controllers in a site, by the Urgent Replication Triggers feature, in Active Directory. Microsoft has acknowledged this to be a problem where certain cases the 'Account Lockout' flag is not replicated by the Urgent Replication Trigger. This results in a domain controller that may not accurately reflect the current status of the user account.
In order to resolve this issue, Microsoft recommends that all domain controllers run Service Pack 3 for Windows 2000.
note
For more information on the issue described above, please refer to the following Knowledge Base articles: