How can I allow an IIS application configured with custom user credentials rather than built-in machine credentials to work correctly with UserLock?

In IIS, the application pool identity of Application Pools is configured by default with "ApplicationPoolIdentity". It is possible to change this with other built-in accounts (LocalService, LocalSystem, or NetworkService) or a custom account based on user type credentials. If an IIS application's application pool is configured with user type credentials, it will not work properly with UserLock unless you set the UserLock advanced setting "EnforceAgentMachine" to false (see here to find out how to view and modify Advanced UserLock Settings).

Note: If an IIS application's application pool is configured with one of the built-in accounts (ApplicationPoolIdentity, LocalService, LocalSystem, or NetworkService), there is no need to change the value of "EnforceAgentMachine".