W2K Local accounts lock out

We're a small engineering company and have several people who travel infrequently. Everyone is assigned a desktop PC and I have a pool of Loaner laptops for people travelling. My problem as of late is that all local accounts (3-5 of them) on the laptop will become locked out at the same time. The only way for me to unlock them is to have them ship the laptop or wait till they return and hook the laptop back to the network and have one of the Domain Admins or Helpdesk Staff (both are members of the Adminstrators group) unlock all local accounts.
They are generally only using one of the accounts and in some instances do not even know the names of additional local accounts to attemp to log-in so as not to expect the "Account Lockout Policy", although it is set to 3 unsuccesful log-in attempts on the domain side.
If you need more information let me know.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Maybe provide youre user with Local admin rights, or power users, i've had some many problems with that in the pass that we've decided to give all our Coporate users admin. rights, and other power users. It got to the point where this like that would happen and there was nothing we could do remotely, most of our systems now also has DAMEWARE installed which give us a little bit of flexcibility when problems like that happen and the users are on the road.

dtm301Author Commented:
All local user accounts that are locking out are local admin accounts as well.
In addition users that do have laptops permanently assigned to them do not have this problem but their domain accounts are added to the local admin group on the laptops.
Rob StoneCommented:
Open GPEDIT.MSC and do the following:

Computer Config > Windows Settings > Security Settings > Account Policies > Account Lockout and change the ACCOUNT LOCKOUT THRESHOLD
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Rob StoneCommented:
Computer Config > Windows Settings > Security Settings > Account Policies > Account Lockout and change the ACCOUNT LOCKOUT THRESHOLD to 0.

Sorry, pressed enter by mistake and missed the vital part off!
dtm301Author Commented:
That only changes the Local Setting, The effective setting will still only be 3 Invalid logon attempts as that is what is set through the GPO. These laptops are members of the Domain so they get all GPO settings, hence local settings are ineffective.
Rob StoneCommented:
Can you not create a new OU for laptops then and change the GPO for them?

If they are on the road (not connected to network) then the local policy should work as it won't find the network gpo.
dtm301Author Commented:
I guess we are missing the point.
First all local accounts are being locked out regardless of them being used or not, in some instances accounts that have never even been logged into have been locked out.
Second, I have made attempts to change the account lockout policy to no avail. My question is, what would be locking out all Local Accounts regardless of their group membership?
Rob StoneCommented:
Sorry, not came across this before.

Maybe its worth trying a few things.

Try SFC /SCANNOW to check any Windows Protected Files haven't been overwritten.  Shot in the dark, but its worth a try on strange issues.

Upgrade the SP if not already on SP4

Run a AV scan if not already done so.

Setup Auditing to see if anything is trying to access the accounts.

Is there anything in the event viewer?
Local groups only? Domain users as well? If everyone is getting locked out
it is usually a denial of service attack. Make sure that all machines are up
to date with critical updates and virus definitions and see the account
lockout whitepaper here:

Hope this helps,


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dtm301Author Commented:
These are just local accounts setup on the laptops, I do not have any problems with domain accounts. The local accounts are not assigned to any one specific group (administrators, Power User, Users). The laptops at times are not even connected to a network or via an ISP yet still lockout.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.