We help IT Professionals succeed at work.

Account lockout policy is still being enforced after policy is removed.

SHAX
SHAX asked
on
Medium Priority
2,553 Views
Last Modified: 2012-05-06
Seven day ago I implemented an account lockout policy which was

Account Lockout duration 0 mins
Account Lockout threshold 5
Reset account lockout counter after 60 mins

I put this in as part of my default domain policy. Two days later I decided I no longer wanted tohe policy and changed the settings to:

Account Lockout duration: not defined
Account Lockout threshold: 0
Reset account lockout counter after: not defined

That was five days ago and I am still having accounts get randomly locked out. The policy has replicated through my domain.

As soon as an account gets locked out I check both the local security policy on the desktop or server from which they were ltrying to authenticate to see if the old account lockout setting are still being cached. It doesn't appear that they are. When I check they are:

Account Lockout duration not defined
Account Lockout threshold 0
Reset account lockout counter after not defined

I'm assuming the old account lockout policy is still being cached somewhere, but I can't find it.

Is there a way to see what the applied account lockout policy is on a computer/server.  Appaernetly the applied account lockout policy must be different that what is showing on the local user desktop/server local security policy.

Does anyone have any suggestion as to where I should look to see where it is caching the information?

Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2013

Commented:
You can run an RSoP report from GPMC against a computer or server to see what is being applied.
You can also run gpresult /v  (GPMC is better in my opinion)
Seems like you did everything right, not sure why they are still being locked out
 
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
Try start>>run>>%windir%\pchealth\helpctr\binaries\helpctr.exe -FromStartHelp -url hcp://system/sysinfo/RSoP.htm
CERTIFIED EXPERT

Commented:
By changing a policy from being something - Enabled, Disabled or some value to undefined, you leave that policy the way it last was.  In your case, Lockout duration is left at 0 and reset is left at 60.  If you want to change the policy, you need to set it to a new value - not undefine it.
CERTIFIED EXPERT
Top Expert 2013

Commented:
But he did set Account lockout threshold = 0  so that should mean that the account will never be locked out no matter how many failed logons occur

Author

Commented:
I did think of what dons6718 was saying about even though the group policy was changed to "not defined" the policy had not changed.  But where would I find the old settings showing that.  Would it be in the registry somewhere?

What is confusing is if I go to the local security policy of the machine being affected it shows:

Account Lockout duration not defined
Account Lockout threshold 0
Reset account lockout counter after not defined

As mkline71 said, I would have though changing the lockout = 0 would have turn the account lockout off.
CERTIFIED EXPERT

Commented:
You are looking in the local security policy and there is nothing defined there.

When you made your second change and set it to disabled and set the threshold to zero, you didn't give that policy a chance to be propagated to the domain clients. The last update they got was that it was set and that the threshold was 5. By disabling it, the clients never got the update to set the threshold back to zero.

Go back to your default domain policy and re-enable it with the Account Lockout Threshold to zero.

Allow that policy to propagate to the domain clients.

Author

Commented:
This is very interesting.  If I go on any of my domain controllers and go to start -- administrative tool -- domain security policy I see

Account Lockout duration: not defined
Account Lockout threshold: 0
Reset account lockout counter after: not defined

If I go to the command prompt on any of my domain controllers and from a dos prompt type secpol.msc -- which brings up the local security policy on the domain controller I see the following.

Account Lockout duration 0 mins
Account Lockout threshold 5
Reset account lockout counter after 60 mins

So doffman 98 you think that if I make a change such as:

Account Lockout duration 0 mins
Account Lockout threshold 0
Reset account lockout counter after 60 mins

It would propagate to the local security policy of the domain controller and the problem would be fixed.

If I do secpol.msc on any other workstation or server (other than domain controllers) I see the following:

Account Lockout duration: not defined
Account Lockout threshold: 0
Reset account lockout counter after: not defined

So I guess, the domain controller's local security is taking precedence over the group policy security policy and inturn enforcing the account lockout.  I didn't think local policies would override group policies (except when deny policy is selected -- which it is not in this case)
CERTIFIED EXPERT
Commented:
I'm not sure that is correct...

The default domain policy is the only place that account policies can be set. The default domain policy should always override all other settings, even on the domain controller.

When you go do domain security policy on the DC, you are seeing the default domain policy, and you can see that it is not defined. Even though the threshold is set to zero, the fact that the policy is not defined is keeping it from updating settings on the clients.

I think that if you enable the policy again, and set the threshold to zero, that change will be propagated to the clients.

You are correct that local policy will NOT override group policy. The order for GPO application is LOCAL, SITE, DOMAIN, OU, Child OU. The Local policy is always the first one to be applied, and then others follow after. If a policy is set to enforce, then it could override settings for lower level settings.

However, remember that when it comes to account policies, there is only one place in the entire domain that it can be set... the default domain policy.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Here is an update:

I went back to the default domain policy.

I initially tried to change the policy to

Account Lockout duration 0 mins
Account Lockout threshold 0
Reset account lockout counter after 60 mins

I tried to set it like this just so all the "not defined" fields would have a value to prorogate.  

Windows would not let me set the policy that way.  Apparently, if an account Lockout threshold is set to zero, windows will not allow the other values to be set to anything but not defined.  So I set the policy like I had it before:

Account Lockout duration: not defined
Account Lockout threshold: 0
Reset account lockout counter after: not defined

Then I ran replmon a couple of times  ( I selected Synchronize Each Directory Partition with all servers -- I checked push mode and Cross site boundaries.)

I ran secpol.msc on each of the domain controllers and the local security policy on each had changed to:

Account Lockout duration: not defined
Account Lockout threshold: 0
Reset account lockout counter after: not defined

Now I on longer have any problems with accounts being locked out.

Thanks for the help
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.