Re: Hyena shows accounts as locked when they're not

What Hyena does is looks at the LockoutTime field for the user and if there is a date/time there it will report it as being locked out.

So, one thing to try is find a user that has this issue and right-click on that user and choose Query Active Directory->View All Directory Attributes. In the right-hand window find the LockoutTime field and let us know what the Value for that field is.

Re: Hyena shows accounts as locked when they're not

So does that mean that if the user account locked out, and the user didn't subsequently log on after the lockout expiration period, the Lockouttime attribute wouldn't be reset and the account would show as locked when it's not? (I see the same behavior using the LockoutStatus tool provided by Microsoft; account shows as locked when it's not.)

Re: Hyena shows accounts as locked when they're not

Unfortunately I'm not sure what different scenarios trigger that to reset. We just make the determination based on there being an entry there.

Re: Hyena shows accounts as locked when they're not

You can read about how this works here:
http://msdn.microsoft.com/en-us/library/ms676843(v=vs.85).aspx

Read the comments at the bottom of this doc. Hyena only looks for the presence of something in this field. When a user logs on, it will be cleared. But if the lockout is meant to automatically clear based on the duration, it will show as being locked out, ie it would mean at this point "this account was locked out at some point".

There isn't an easy way to determine if the account should still be locked out, as the duration is kept in the policy, and the times are based on time zone and DST calculations, so there are a lot of variables. This is one reason why ADU&C is rather slow at displaying large sets of user accounts due to the calculations.