Solved

group policy account lock out, when not on network

Posted on 2006-07-10
8
711 Views
Last Modified: 2011-04-14
Hello all,

Interesting problem I'm working with,
I have a few laptops that are all on a 2003 domain environment, Group policy states that account lockout are set to lock a user out after 3 failed logon attempts.
Great! Once on the network, everything is working fine.

Once laptop is off the network and user tries to logon, the policy does not apply, I look in Local Policy and noticed that it is set for 3 failed attempt then lockout.

I’m not sure why it is not working when I try to logon without being on the network.

If you all need me to clarify some more please ask,

Thanks in advance,

~Koolage
0
Comment
Question by:koolage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 2

Expert Comment

by:jonathanpham
ID: 17074478
Hi,
You're talking. you edited GPO on win server domain, all client (xp) must to log on domain.
When clents logon on local. the policy does not apply. Remenber that you edit rule of GPO on win 2003 server! The  policty will apply when clents log on domain.
if you want to apply your policy for client so don't need log on domain. You can just edit policy on your xp clients follow Local computer Policy /  Windows Setting / Security Settings / Account Policies /  Account Lockout policies then Edit the second ruler .
The normal user will be lockout account after 3 failed logon attempts. If you have many computer, It take muck time to edit policy.
0
 

Author Comment

by:koolage
ID: 17074551
Thanks, jonathanpham

I know that portion, the problem is that it is in the local policy as well, it's actually greyed out, but tells me that the policy is in effect.
I'm not sure what I'm missing...
also, when user logs on to laptop while not being connected to physical network..looks like this


username: testuser
password: xxxxxxx
Domain: testdomain

not

username: testuser
password: xxxxxxx
Domain: 123testPC(Local Computer)

even when I log onto the laptop in Local Computer mode, it still has the account policy setting greyed out (logged in as Admin)

any other suggestings??

thanks again for your time,

~koolage
0
 
LVL 13

Assisted Solution

by:haim96
haim96 earned 250 total points
ID: 17074958
koolage, you need to remember that it's domain user that need to be lock out !
if the machine is offline the net how the acount can be locked ?!
the domain user+ password only exist in the user local profile and not
on the local machine's users list so there is no way that it can be locked !
that means that if the user knew the password he will be abale to log localy
if not he won't log ...
and it dosn't meter if the GPO applys or not!
0
Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

 
LVL 6

Accepted Solution

by:
DaMaestro earned 250 total points
ID: 17075264
Usually anything defined in the domain overrides what is defined locally. You may need to run GPMC / Resultant Set of Policy to confirm the "last applied" policy on the client machine. If in fact you are providing invalid credentials with the machine not being connected three times (as defined by your policy) , it should lockout.

Can you confirm if the client system is Windows XP or 2000? And what is the SP level?

There is a document @ Microsoft that affects XP computers <http://support.microsoft.com/?kbid=811062>, but Windows XP SP2 should resolve it.
A Microsoft Bulletin was released for Windows 2000 SP1 computers, but I would think your computers have a more recent service pack: <http://www.microsoft.com/technet/security/bulletin/ms00-089.mspx>

Although it's not directly related, you may want to check the cached login policy. [Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options]. I would recommend lowering it to 5 so that you force the laptop to re-authenticate against the domain sooner than the default 10 cached logins.

Another unrelated but informative link:  User Policy not refreshed after cached login http://support.microsoft.com/kb/325551/


0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 17078865
If you have a domain member computer.
And you go to another network, like another office, or your house...When your NIC registers a connection, it will attempt to log into the domain.(not present)

You will not be able to logon unless your network cable is "UNPLUGGED" first.
This will make the machine authenticate with "cached logon".

Now you can plug your network cable in and that should work.

-------------------------------------------------------------------------------------------------------------------------------------
Domain policy can prevent or allow cached logons, and how many days.

-------------------------------------------------------------------------------------------------------------------------------------
If the above does not apply, make sure you don't have some sort of email program with bad settings trying to get your mail.  Examples(Outlook using Pop3, exchange active sync for pocket pc phones)  Failed e-mail logons count toward locking your account.  So does bad terminal server logons.

-------------------------------------------------------------------------------------------------------------------------------------




0
 
LVL 4

Expert Comment

by:boywaja
ID: 17087602
The was answered early on in this thread.   You cant lock out a domain account when the computer is not logging in using cached credentials (when it cant reach a domain controller).   The PDC maintains the bad password count.  When you cant reach the pdc no count is kept.  

This article from Jesper Johansson backs up what I'm saying.  Jesper is a senior security stragegist with microsoft.  http://blogs.technet.com/jesper_johansson/archive/2006/04/21/425991.aspx
0
 
LVL 78

Expert Comment

by:arnold
ID: 17087925
XP caches successful login credential thereby allowing the user to login into the system when they are off the network and the correct credentials are provided.  

Not really sure you would want the lockout policy to apply when the user is not on the network as there will be no way for you to unlock the account; thus, making the system useless.
0
 

Author Comment

by:koolage
ID: 17092950
Thanks to all that responded.

it was WinXP SP2.
I was asking on a friends behalf.... one thing he also faild to mention..that he kept using the administrator account also.

but yes, with those cashed credentials it would not work whilst offline...

and Arnold finished with a reasonable reply...there would be no way to unlock...unless it's an administrator.


thanks again
0

Featured Post

RoboForm Secure Password Management System

RoboForm Everywhere - Superb Browser Support
Windows / Apple / IOS / Android / Linux / Chrome OS
Use different complex passwords everywhere
Best Secure Password Management by far
Synchronize all of your devices instantly
Safe, Secure & Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
security group 2 40
Fraud Email 22 127
Database (Access Table) Security Access 8 60
Antivirus software for Exchange Mail servers 13 80
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question