active directory accounts lockout

Active directory2003 - locked-out accounts are not unlocking automatically.I've set mydomainas follows:
Account lockout duration: 60 minutes
Account lockout threshold: 10 invalid logon attempts
Reset account lockout counter after: 60 minutes

However, accounts that got locked-out are not automatically unlocked after 60min. In ADUC the checkob for unlock user is greyed but I can list tha account with the following LDAP query:

(&(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295)))))
You saw the article comes from ActiveDirectorySEOhttp://gnaw0725.blogbus.com/c1404552/
The only way to unlock that account is user the VBS script. with this command:
objUser.IsAccountLocked = FALSE

Is there any way to find out what's wrong with the domain?

Answer:As I recall, when an account is locked out, the lockoutTime attribute is set to the Integer8 value corresponding to the date and time. When the domain lockout duration expires, nothing happens to the user object. The lockoutTime attribute stays the same until the user logs on, at which time the value of lockoutTime is set to 0 (zero). If the value of lockoutTime is not set, the account has never been locked out. If the value is 0, the account is locked out. For any other value you must compare to the domain lockoutDuration to see if it has expired to tell if the account is still locked out.

Your LDAP query does not make sense to me. The lockoutTime attribute is not a flag value like userAccountControl where you can test bits of the integer for settings. Instead it is an Integer8 (64-bit) value representing a date

Are you saying the users cannot logon when 60 minutes have passed since their account was locked out? My guess is that the account is not locked out, but the user has not yet attempted to logon.
You saw the article comes from ActiveDirectorySEOhttp://gnaw0725.blogbus.com/c1404552/
There is no simple query that will determine if an account is locked out. You must retrieve all accounts with lockoutTime greater than zero, then add the domain lockoutDuration to the value, convert to a date/time in the current time zone, and check if the result is in the past or future.

Actually, an LDAP query can be devised to find all users currently locked out, but some calculation is required to determine the critical value of the lockoutTime attribute. Following is a VBScript. program to retrieve the DN of all users currently locked out:

http://www.rlmueller.net/FindLockedOutUsers.htm

-- Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab -http://www.rlmueller.net

Moreactive directory user accounts unlock issue,pls refer to:
域用户账户出现反复锁定活动目录SEO
http://www.googlesyndicatedsearch.com/u/blogbus?q=site:gnaw0725.blogbus.com+%E8%B4%A6%E6%88%B7%E9%94%81%E5%AE%9A&hl=zh-CN&newwindow=1&ie=UTF-8&start=10&sa=N

More articles about active directory...
Active Directory架构活动目录SEO
active directory教程入门活动目录SEO
active directory教程部署实施方案|分支机构分公司子域委派活动目录SEO
Active Directory|windows 2008域服务(1) 活动目录SEO
Active Directory|windows 2008域服务(2) 活动目录SEO

Active Directory|windows 2008域服务(3) 活动目录SEO
Active Directory|windows 2008域服务(4) 活动目录SEO
active directorysite design 活动目录SEO
remote procedure call canceled|Active Directorynot replicate...
活动目录ActiveDirectories的作用以及优势活动目录SEO

“活动目录”系列讲座――“Active Directoryweek” 活动目录SEO
委派Active Directory管理的最佳实践活动目录SEO
http://www.googlesyndicatedsearch.com/u/blogbus?q=site:gnaw0725.blogbus.com+active+directory&hl=zh-CN&inlang=zh-CN&newwindow=1&ie=UTF-8&start=30&sa=N
---gnaw0725