Solved

Removing Domain Level Account Lockout Policy

Posted on 2006-11-16
12
1,341 Views
Last Modified: 2013-12-04
For some reasons I won't go into, I have removed the account lockout from the Default Domain policy.  I have done this by setting the account lockout threshold to "0" attempts.  This setting HAS replicated to my second DC, and I can see it in all areas, and on both servers.  Yet after 4 invalid login attempts by any user on the network, their account still locks out.

I have searched all over the net trying to find the cause, and can only find other people asking this same question, but with no answers.  There must be a setting that is being missed that is still enforcing this policy.

Any help would be appreciated.

Regards,

Rob
0
Comment
Question by:PC_Rob
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 100 total points
ID: 17960707
the default domain controller policy probably has the settings applying
0
 
LVL 9

Author Comment

by:PC_Rob
ID: 17961715
I checked that on the PDC, and it shows the right setting.
0
 
LVL 4

Assisted Solution

by:StonewallJacoby
StonewallJacoby earned 100 total points
ID: 17961948
Over what period of time are we talking about having made these changes?  Changing the GPO on the server doesn't automatically update the workstations.  Have you run

gpupdate /force

from a command prompt on your XP Pro workstations?

If not this, then go to a workstation and run rsop.  From a command prompt on XP Pro, type mmc, then press enter.

File, Add/Remove snap-in, Add, scroll down to rsop, click add.  Close the "Add Standalone Snap-In" window.  Click OK in the Add / Remove Snap-In window.  RIght click on "Resultant Set of Policy"  Click "Generate RSoP data".  This will show you where all the GPO's on the local machine are coming from.
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 
LVL 9

Author Comment

by:PC_Rob
ID: 17965157
It has been 3 days since the change has been made on the servers.  One of the other servers I am testing with has been rebooted several times since then, and it still causes a lock out when I test it.

The server I am testing with is running Server 2000 and will not support RSoP.  I did run it on my local XP workstation, and the policy is showing correctly, yet if I type my password in wrong 4 times for testing, it locks me out.
0
 
LVL 38

Assisted Solution

by:Shift-3
Shift-3 earned 300 total points
ID: 17965422
I realize this is what you said in your first post, but just to confirm, you are setting this on the Domain Security Policy and not the Domain Controller Security Policy, correct?  Account policies only apply at the domain level; they have no effect if set on an OU.

Do you have any other GPOs applied at the domain level that might be conflicting?

Have you tried something like setting "Account lockout threshold" to 99 and "Reset account lockout counter after" to 1 minute?  This should prevent anyone from getting locked out.
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 17965553
Ah, I take it back.  Apparently Account Lockout policies can apply to OUs.  I was thinking of Password Policies.
0
 
LVL 9

Author Comment

by:PC_Rob
ID: 17968334
Yes, it is actually on both the Domain controller policy and the domain security policy.

It is also on the default domain policy in AD.

Still locking out.

Thanks
0
 
LVL 9

Author Comment

by:PC_Rob
ID: 17988003
I re-verified everything, and my accounts are still locking out when I test them.  The policy is in place properly.

Any more ideas?

Thanks,

Rob
0
 
LVL 9

Author Comment

by:PC_Rob
ID: 18029940
I still never resolved this problem, but I got around it for now.

Thanks for the input.

Rob
0
 

Expert Comment

by:SHAX
ID: 23659705
I am having the same issue. I have opened a thread on expert exchange also.  The title is Account lockout policy is still being enforced after policy is removed.  I didn't know if anyone on this thread found anything out.

Thanks
0
 

Expert Comment

by:Daxtech Support
ID: 33250284
I am having same issue.   There is NO policy enabled anywhere and I have run gpupdate /force to update.  I have confirmed replication is fine between domain controllers.  Still users are locked out after three attempts.
0
 

Expert Comment

by:gwbmcse
ID: 33578203
Seems to be an epidemic... I too have this issue.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IE Plugin Issue 4 88
Windows 10 4 87
Server 2008-R2 lost password 19 109
SHA2 certs for IIS AND Java? 2 122
As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question