Merge pull request #84224 from iainfoulds/patch-1

PRMerger17 · web-flow · commit a093d07793e4 · 2019-08-02T14:43:34.000-07:00
[AzureADDS] Add troubleshooting note for account lockout
diff --git a/articles/active-directory-domain-services/troubleshoot.md b/articles/active-directory-domain-services/troubleshoot.md
@@ -143,6 +143,9 @@ If one or more users in your Azure AD tenant are unable to sign in to the newly
     1. net stop 'Microsoft Azure AD Sync'
     2. net start 'Microsoft Azure AD Sync'
 * **Cloud-only accounts**: If the affected user account is a cloud-only user account, ensure that the user has changed their password after you enabled Azure AD Domain Services. This step causes the credential hashes required for Azure AD Domain Services to be generated.
+* **Verify the user account is active**: If a user's account is locked out, they can't sign in until their account is active again. Five invalid password attempts within 2 minutes on the managed domain cause a user account to be locked out for 30 minutes. After 30 minutes, the user account is automatically unlocked.
+  * Invalid password attempts on the managed domain don't lock out the user account in Azure AD. The user account is locked out only within your Azure AD Domain Services managed domain. Check the user account status using the Active Directory Administrative Console (ADAC) for the Azure AD DS managed domain, not in Azure AD.
+  * You can also [configure fine grained password policies that change the default lockout threshold and duration](https://docs.microsoft.com/azure/active-directory-domain-services/password-policy).
 
 ## There are one or more alerts on your managed domain
 
