koolage
asked on
group policy account lock out, when not on network
Hello all,
Interesting problem I'm working with,
I have a few laptops that are all on a 2003 domain environment, Group policy states that account lockout are set to lock a user out after 3 failed logon attempts.
Great! Once on the network, everything is working fine.
Once laptop is off the network and user tries to logon, the policy does not apply, I look in Local Policy and noticed that it is set for 3 failed attempt then lockout.
I’m not sure why it is not working when I try to logon without being on the network.
If you all need me to clarify some more please ask,
Thanks in advance,
~Koolage
Interesting problem I'm working with,
I have a few laptops that are all on a 2003 domain environment, Group policy states that account lockout are set to lock a user out after 3 failed logon attempts.
Great! Once on the network, everything is working fine.
Once laptop is off the network and user tries to logon, the policy does not apply, I look in Local Policy and noticed that it is set for 3 failed attempt then lockout.
I’m not sure why it is not working when I try to logon without being on the network.
If you all need me to clarify some more please ask,
Thanks in advance,
~Koolage
ASKER
Thanks, jonathanpham
I know that portion, the problem is that it is in the local policy as well, it's actually greyed out, but tells me that the policy is in effect.
I'm not sure what I'm missing...
also, when user logs on to laptop while not being connected to physical network..looks like this
username: testuser
password: xxxxxxx
Domain: testdomain
not
username: testuser
password: xxxxxxx
Domain: 123testPC(Local Computer)
even when I log onto the laptop in Local Computer mode, it still has the account policy setting greyed out (logged in as Admin)
any other suggestings??
thanks again for your time,
~koolage
I know that portion, the problem is that it is in the local policy as well, it's actually greyed out, but tells me that the policy is in effect.
I'm not sure what I'm missing...
also, when user logs on to laptop while not being connected to physical network..looks like this
username: testuser
password: xxxxxxx
Domain: testdomain
not
username: testuser
password: xxxxxxx
Domain: 123testPC(Local Computer)
even when I log onto the laptop in Local Computer mode, it still has the account policy setting greyed out (logged in as Admin)
any other suggestings??
thanks again for your time,
~koolage
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you have a domain member computer.
And you go to another network, like another office, or your house...When your NIC registers a connection, it will attempt to log into the domain.(not present)
You will not be able to logon unless your network cable is "UNPLUGGED" first.
This will make the machine authenticate with "cached logon".
Now you can plug your network cable in and that should work.
--------------------------
Domain policy can prevent or allow cached logons, and how many days.
--------------------------
If the above does not apply, make sure you don't have some sort of email program with bad settings trying to get your mail. Examples(Outlook using Pop3, exchange active sync for pocket pc phones) Failed e-mail logons count toward locking your account. So does bad terminal server logons.
--------------------------
And you go to another network, like another office, or your house...When your NIC registers a connection, it will attempt to log into the domain.(not present)
You will not be able to logon unless your network cable is "UNPLUGGED" first.
This will make the machine authenticate with "cached logon".
Now you can plug your network cable in and that should work.
--------------------------
Domain policy can prevent or allow cached logons, and how many days.
--------------------------
If the above does not apply, make sure you don't have some sort of email program with bad settings trying to get your mail. Examples(Outlook using Pop3, exchange active sync for pocket pc phones) Failed e-mail logons count toward locking your account. So does bad terminal server logons.
--------------------------
The was answered early on in this thread. You cant lock out a domain account when the computer is not logging in using cached credentials (when it cant reach a domain controller). The PDC maintains the bad password count. When you cant reach the pdc no count is kept.
This article from Jesper Johansson backs up what I'm saying. Jesper is a senior security stragegist with microsoft. http://blogs.technet.com/jesper_johansson/archive/2006/04/21/425991.aspx
This article from Jesper Johansson backs up what I'm saying. Jesper is a senior security stragegist with microsoft. http://blogs.technet.com/jesper_johansson/archive/2006/04/21/425991.aspx
XP caches successful login credential thereby allowing the user to login into the system when they are off the network and the correct credentials are provided.
Not really sure you would want the lockout policy to apply when the user is not on the network as there will be no way for you to unlock the account; thus, making the system useless.
Not really sure you would want the lockout policy to apply when the user is not on the network as there will be no way for you to unlock the account; thus, making the system useless.
ASKER
Thanks to all that responded.
it was WinXP SP2.
I was asking on a friends behalf.... one thing he also faild to mention..that he kept using the administrator account also.
but yes, with those cashed credentials it would not work whilst offline...
and Arnold finished with a reasonable reply...there would be no way to unlock...unless it's an administrator.
thanks again
it was WinXP SP2.
I was asking on a friends behalf.... one thing he also faild to mention..that he kept using the administrator account also.
but yes, with those cashed credentials it would not work whilst offline...
and Arnold finished with a reasonable reply...there would be no way to unlock...unless it's an administrator.
thanks again
You're talking. you edited GPO on win server domain, all client (xp) must to log on domain.
When clents logon on local. the policy does not apply. Remenber that you edit rule of GPO on win 2003 server! The policty will apply when clents log on domain.
if you want to apply your policy for client so don't need log on domain. You can just edit policy on your xp clients follow Local computer Policy / Windows Setting / Security Settings / Account Policies / Account Lockout policies then Edit the second ruler .
The normal user will be lockout account after 3 failed logon attempts. If you have many computer, It take muck time to edit policy.