?
Solved

Account lockout policy is still being enforced after policy is removed.

Posted on 2009-02-16
9
Medium Priority
?
2,078 Views
Last Modified: 2012-05-06
Seven day ago I implemented an account lockout policy which was

Account Lockout duration 0 mins
Account Lockout threshold 5
Reset account lockout counter after 60 mins

I put this in as part of my default domain policy. Two days later I decided I no longer wanted tohe policy and changed the settings to:

Account Lockout duration: not defined
Account Lockout threshold: 0
Reset account lockout counter after: not defined

That was five days ago and I am still having accounts get randomly locked out. The policy has replicated through my domain.

As soon as an account gets locked out I check both the local security policy on the desktop or server from which they were ltrying to authenticate to see if the old account lockout setting are still being cached. It doesn't appear that they are. When I check they are:

Account Lockout duration not defined
Account Lockout threshold 0
Reset account lockout counter after not defined

I'm assuming the old account lockout policy is still being cached somewhere, but I can't find it.

Is there a way to see what the applied account lockout policy is on a computer/server.  Appaernetly the applied account lockout policy must be different that what is showing on the local user desktop/server local security policy.

Does anyone have any suggestion as to where I should look to see where it is caching the information?

0
Comment
Question by:SHAX
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23652732
You can run an RSoP report from GPMC against a computer or server to see what is being applied.
You can also run gpresult /v  (GPMC is better in my opinion)
Seems like you did everything right, not sure why they are still being locked out
 
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23652833
Try start>>run>>%windir%\pchealth\helpctr\binaries\helpctr.exe -FromStartHelp -url hcp://system/sysinfo/RSoP.htm
0
 
LVL 18

Expert Comment

by:Don S.
ID: 23652968
By changing a policy from being something - Enabled, Disabled or some value to undefined, you leave that policy the way it last was.  In your case, Lockout duration is left at 0 and reset is left at 60.  If you want to change the policy, you need to set it to a new value - not undefine it.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 23652978
But he did set Account lockout threshold = 0  so that should mean that the account will never be locked out no matter how many failed logons occur
0
 

Author Comment

by:SHAX
ID: 23653217
I did think of what dons6718 was saying about even though the group policy was changed to "not defined" the policy had not changed.  But where would I find the old settings showing that.  Would it be in the registry somewhere?

What is confusing is if I go to the local security policy of the machine being affected it shows:

Account Lockout duration not defined
Account Lockout threshold 0
Reset account lockout counter after not defined

As mkline71 said, I would have though changing the lockout = 0 would have turn the account lockout off.
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 23661459
You are looking in the local security policy and there is nothing defined there.

When you made your second change and set it to disabled and set the threshold to zero, you didn't give that policy a chance to be propagated to the domain clients. The last update they got was that it was set and that the threshold was 5. By disabling it, the clients never got the update to set the threshold back to zero.

Go back to your default domain policy and re-enable it with the Account Lockout Threshold to zero.

Allow that policy to propagate to the domain clients.
0
 

Author Comment

by:SHAX
ID: 23665161
This is very interesting.  If I go on any of my domain controllers and go to start -- administrative tool -- domain security policy I see

Account Lockout duration: not defined
Account Lockout threshold: 0
Reset account lockout counter after: not defined

If I go to the command prompt on any of my domain controllers and from a dos prompt type secpol.msc -- which brings up the local security policy on the domain controller I see the following.

Account Lockout duration 0 mins
Account Lockout threshold 5
Reset account lockout counter after 60 mins

So doffman 98 you think that if I make a change such as:

Account Lockout duration 0 mins
Account Lockout threshold 0
Reset account lockout counter after 60 mins

It would propagate to the local security policy of the domain controller and the problem would be fixed.

If I do secpol.msc on any other workstation or server (other than domain controllers) I see the following:

Account Lockout duration: not defined
Account Lockout threshold: 0
Reset account lockout counter after: not defined

So I guess, the domain controller's local security is taking precedence over the group policy security policy and inturn enforcing the account lockout.  I didn't think local policies would override group policies (except when deny policy is selected -- which it is not in this case)
1
 
LVL 13

Accepted Solution

by:
dhoffman_98 earned 1500 total points
ID: 23665976
I'm not sure that is correct...

The default domain policy is the only place that account policies can be set. The default domain policy should always override all other settings, even on the domain controller.

When you go do domain security policy on the DC, you are seeing the default domain policy, and you can see that it is not defined. Even though the threshold is set to zero, the fact that the policy is not defined is keeping it from updating settings on the clients.

I think that if you enable the policy again, and set the threshold to zero, that change will be propagated to the clients.

You are correct that local policy will NOT override group policy. The order for GPO application is LOCAL, SITE, DOMAIN, OU, Child OU. The Local policy is always the first one to be applied, and then others follow after. If a policy is set to enforce, then it could override settings for lower level settings.

However, remember that when it comes to account policies, there is only one place in the entire domain that it can be set... the default domain policy.
0
 

Author Comment

by:SHAX
ID: 23672115
Here is an update:

I went back to the default domain policy.

I initially tried to change the policy to

Account Lockout duration 0 mins
Account Lockout threshold 0
Reset account lockout counter after 60 mins

I tried to set it like this just so all the "not defined" fields would have a value to prorogate.  

Windows would not let me set the policy that way.  Apparently, if an account Lockout threshold is set to zero, windows will not allow the other values to be set to anything but not defined.  So I set the policy like I had it before:

Account Lockout duration: not defined
Account Lockout threshold: 0
Reset account lockout counter after: not defined

Then I ran replmon a couple of times  ( I selected Synchronize Each Directory Partition with all servers -- I checked push mode and Cross site boundaries.)

I ran secpol.msc on each of the domain controllers and the local security policy on each had changed to:

Account Lockout duration: not defined
Account Lockout threshold: 0
Reset account lockout counter after: not defined

Now I on longer have any problems with accounts being locked out.

Thanks for the help
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question