Cross Domain Folders Access: Reference account is Locked out

When dealing with cross-domain shared folder access. Issues could arise and sometimes, this might lead to account lock out. In this article, we shall discuss “Cross Domain Shared Folders Access Failed: The reference account is Locked out”. The reason for this issue could be due to several factors. Please see how to Configure Local Administrators Account lockout, and how to Configure WinRM to accept connection from a specific IP Address.

Also, see How to Edit Windows Hosts File via PowerToy Editor Utility, how to Enable Autologon and Autostart for user session, and how to determine GPO from GUID or Name.

Reasons for the Account Lock Out

Note: This issue is a shared folder access across different domain and different forest. The solution should be applicable to your ow use-case as well.

As you can see from the image below, “The reference account is currently locked out and may not be logged on to”. This is due to the following error “Vault credentials were read. This event occurs when a user enumerates stored vault credentials”.

When you navigate to the PC located in another Domain/Forest and try to connect to a device in the domain. You can indeed confirm that the account has been locked out.

Issue Persists

Password was unlock, and I tried to access again from the other domain in a different forest. Yet it failed. So I went ahead to the other PC connected to the other domain to access the PC connected to the second domain in a different forest. I got this prompt. This is because, my account was already locked due to the shared folder access as configured here “How to access shared resources from two different domains“.

Note: Domains in the same forest are automatically linked with two-way, transitive trust relationships. Therefore, this should not be a problem. But, I am dealing with access in a different forest. The below knowledge will be vital when access is restored or issue is fixed.

Since I am accessing this shared folder from a different domain in a different forest. This will also work. But, I provide credentials from the actual domain I wish to access its shared resources. It’s important to note that you have to use the sAMAccountName format, the domain portion is a single label, akin to a NetBIOS name. This is because sAMAccountName has no “knowledge” of DNS or Internet standards.

Please, see Convert Windows Server Datacenter to Standard: Install via iDRAC Virtual Media, and How to delete a VM and Storage in Proxmox.

Unlock a Locked out Account via Active Directory

To do this, please launch the Active Director User and Computer (ADCU) Console as shown below.

Alternatively, Press Win + R, type dsa.msc, and press Enter. This will open the ADUC management console.

Navigate to the OU (Organizational Unit) where the user’s account resides. Right-click on the user’s account. Next, select Properties.

Navigate to the Account tab. Below, you will see a checkbox labeled Unlock account. Check the box and click Apply or OK

Please see How to Change User Account Type in Windows 10, How to set an account expiration date in Active Directory, and Windows sign-in options, and account protection on Windows 11.

Delete Cached Credentials

If the issue persists as shown above, you will have to delete corrupted cached credential. Corrupt cached credentials can also cause account lockout issues in Windows. Sign in to the hidden admin account, delete the locked account’s cached credential, and try signing in again.

Note: Old or incorrect credentials saved in Windows Credential Manager may cause repeated failed login attempts.

Now, let us take a look at the Event Viewer for possible errors. As you can see the operation failed due to stored credentials. Other Event Log: Vault credentials were read. This event occurs when a user enumerates stored vault credentials.

To fix this, open the Start menu, type credentials manager in the search box, and select the Credential Manager.

Select Windows Credentials.

Scroll to the “Generic Credentials” section and select the credentials of the locked user account. Select Remove.

Select Yes on the confirmation prompt to proceed.

Note: Please do not forget to restart.

Network issues

If none of the above fixes works, then this could be an intermittent network problems can prevent successful authentication. You can try at a later time.

Please see How to disable automatic screen lock in Ubuntu Linux. How to deploy MBAM for Bitlocker Administration, and How to create a Windows Server reference image using WDS. See how to fix “An Attempt Was Made to Reference a Token That Does Not Exist” in Windows 10.

Other Solutions: Increase or Disable Lockout Threshold

Disable “Lockout Threshold”. I will not be showing you these steps in details to bypass the configured organization policy as they are security best practices. More-so, we have discussed this process already. Please see “how to “Change Account Lockout Threshold for Local Accounts in Windows: The reference account is locked“.

The system administrator may have configured the Account lockout threshold policy, which triggers the lockout. In this case, it is advisable to wait 30 minutes (or the designated waiting period) before trying to sign in again with the correct credentials

In the Local Group Policy window, click on Security Settings. Then, navigate to Account Policy > Account Lockout Threshold from the displayed submenu.

In the Account Lockout Threshold Properties window, select the Local Security Setting tab. Under the Account will not lock out heading, change the preset value to 0 or increase to 3 as you wish.

Click OK and then Apply to allow the changes to take effect. Restart Windows.

Please see How to configure Network Unlock in Windows, How to disable Lock Screen on Windows 10, and How to disable automatic screen lock in Ubuntu Linux.

FAQs

I hope you found this article on Cross Domain Shared Folders Access Failed: The reference account is Locked out” very useful. Please feel free to leave a comment below.