On AIX operating system, a user cannot authenticate. Su gives the error 3004-501 Cannot su to "account-name" : Authentication is denied. or ssh gives error account is locked out eventhough it is not locked out in Active Directory.
Account is getting locked out by the local AIX operating system due to configuration in /etc/security/user and /etc/security/login.cfg file settings.
For example: login restrictions set to 3 in the default section of the /etc/security/user file.
The setting looks like this: loginretries = 3
Any unix enabled AD user whose unsuccessful login count was greater than 3 would be denied.
To reset users:
chsec -f /etc/security/lastlog -s <username> -a unsuccessful_login_count=0
This workaround is only a temporary fix as the unsuccessful_login_count could increase
1 - Edit the /etc/security/user file and un-set loginretries in the default section, and set it explicitly for each individual user.
1 - Create a cron job to clean up the count in /etc/security/lastlog