• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1426
  • Last Modified:

How to exclude a specific local account from account lockout policy set in local security policy of a server?

Hi Experts,

I need to set local security policy to enable account lockout for a server. However, the server has a program using a local account but keeps using the wrong password to access the program causing the local service account to lockout. How can I exclude this local service account from this account lockout policy?

P.S We have no idea why the program is using the wrong password. So what we can think of is to exclude this account from the account lockout policy.
0
chenshy
Asked:
chenshy
  • 3
  • 3
1 Solution
 
LauraEHunterMVPCommented:
To be clear - this is a local account, not a domain account?  

If this is a domain account, there is nothing you can do, as you can only apply a single account lockout policy per Active Directory domain in 2000 and 2003.

If and only if this is a local account on the member server, you can configure a separate GPO to apply to this server object, with a separate account lockout policy that will -only- apply to the local computer accounts configured on that server.  I cannot stress enough here that any domain accounts that log onto this member server will still be subject to the domain account lockout policy.
0
 
chenshyAuthor Commented:
Hi Laura, this is a local account. Iu am not applying the account lockout policy via GPO. We manually go into local security policy and apply the setting. Is there any way to exclude this account?
0
 
LauraEHunterMVPCommented:
If I am understanding you, you are configuring an account lockout policy on this server's local security policy, and you wish to exclude only this one local account from that account lockout policy?

If this is what you are trying to accomplish, it cannot be done under Windows Server 2003.  
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
chenshyAuthor Commented:
I have another server with account lockout policy enabled and the local service account is acccessed by the program with wrong password too. I can see a lot of login failures from the event log, but the account is not being lockout. Why is this so?
0
 
LauraEHunterMVPCommented:
Clearly the configuration is somehow different between these two servers.  You can use the gpresult.exe command-line tool on each server to compare the settings that are in place, or if you're in an Active Directory domain you can use the Resultant Set of Policy wizard from the Group Policy Management Console.
0
 
chenshyAuthor Commented:
Thanks Laura, the servers are not joined to domain. They are all in workgroup. I run gpresult.exe on the server that doesnt lockout the account. It doesnt return any result as it it still looking at group policy. I did not apply any group policy. What i did was to go directly to local security policy and enable the account lockout policy. Is there any other command i can run to check on the security settings that are configured on the servers?
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now