This one is baffling, and I'm completely lost as to what is going on or how to rectify it.

I have two Redhat (not my choice) V5 Workstations. They are locked down pretty thoroughly, not on an external network, each person with root access has a normal account and then an account that belongs to the wheel group, etc. It is fairly obscene.

On one of the systems, my admin account absolutely refuses to let me to log in. We've reset the password using both passwd and the config-system-users dialog. Nothing looks out of place, the account isn't expired/locked or anything. Deleting the account and then readding it didn't help.

On the other system, the exact same thing is going on with another user. That one had a mismatch between /etc/passwd and /etc/shadow that I fixed, but everything else looks normal. I have no problems logging in, but he can't, no matter what we do to the password or the account.

Anybody have any ideas/suggestions about what is going on?

I would scrutinize the /etc/passwd contents over and over until my tired eyes finally saw the problem. Eg. /bin/false for a shell or something.

Have you tried logging in to a non-GUI, local console (eg. CTRL-ALT-F2) ?
Network logins, and display-manager (GUI) logins have additional inconvenience ("security") layers that need bypassing by default.

Other than that, the problem could be with the SELinux (aka "the NSA") configuration. I avoid SELinux, so not much help to you there.

I checked for /bin/false as the shell and ! as the leading/only character in the /etc/shadow file. I'll keep checking. I didn't think to try the ALT-F2 login.

I envy you for avoiding the SELinux stuff. It is a major pain to deal with, and conflicts with some of the software we use.

I went back there again today to try to fix it and tried a couple other things. One of the things I tried was in the /etc/shadow file, I copied my entire line and then changed the username and the field that looks like a user ID, but is different, to match his.

Even that was giving the wrong password error.

I forgot about trying from the non-GUI login. I think that got locked down and disabled, though.

Well, the other key places might include /etc/securetty, and various settings in /etc/pam.d/

Layers, zillions of layers.

The machine in question settled down and everything was going ok, until earlier this week.

Right now, there are only three accounts that can be logged in, root and two user accounts in the wheel group. Well, they should be able to be logged in

The root account is expired (it wasn't recognizing the password anyway, which is why it wasn't used for so long) and the other two are locked because of the number of password attempts. It also isn't recognizing the GRUB password.

To recover, I was going to open the cases and mount that drive as a data drive in the other (identical) system. My question is, how do I recover from there? From what I've seen, pam_tally/pam_tally2 doesn't lock the account in the shadow file, so how do I fix those locked accounts? I can get into single mode easy enough, assuming it lets me with an expired root, so maybe I have to do that and then go through all the pam_tally stuff?

Boot from a Linux USB stick.

Mount the original root filesystem:

Excellent, thanks!