We help IT Professionals succeed at work.

Account lockout policy not applied

I know this has been asked many times but heres my go :)
Im getting this in the server performace report evey night, sometimes more attemps.
 Security
529
01/06/2010 17:09
1,124 *
Logon Failure:
 
Reason:
Unknown user name or bad password
 
User Name:
administrator
 
Domain:
MYDOMAIN
 
Logon Type:
10
 
Logon Process:
User32
 
Authentication Package:
Negotiate
 
Workstation Name:
MYDOMAIN-SERVER
 
Caller User Name:
MYDOMAIN-SERVER$
 
Caller Domain:
MYDOMAIN
 
Caller Logon ID:
(0x0,0x3E7)
 
Caller Process ID:
8116
 
Transited Services:

Source Network Address:
24.101.10.276
 
Source Port:
30880

Open in new window

The policy is applied at the level in the screen shot.
 GPOHere is the GP result
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\A
U\NoAutoUpdate
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\A
U\ScheduledInstallTime
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\A
U\RescheduleWaitTime
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Small Business Server Remote Assistance Policy
                KeyName:     software\policies\microsoft\windows NT\Terminal Ser
vices\fAllowUnsolicited
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Small Business Server Remote Assistance Policy
                KeyName:     software\policies\microsoft\windows NT\Terminal Ser
vices\fAllowUnsolicitedFullControl
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\E
levateNonAdmins
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\T
argetGroup
                Value:       87, 0, 69, 0, 83, 0, 84, 0, 79, 0, 78, 0, 69, 0, 85
, 0, 75, 0, 0, 0
                State:       Enabled

            GPO: Small Business Server Remote Assistance Policy
                KeyName:     software\policies\microsoft\windows NT\Terminal Ser
vices\RAUnsolicit\MYDOMAIN\Domain Admins
                Value:       87, 0, 69, 0, 83, 0, 84, 0, 79, 0, 78, 0, 69, 0, 92
, 0, 68, 0, 111, 0, 109, 0, 97, 0, 105, 0, 110, 0, 32, 0, 65, 0, 100, 0, 109, 0,
 105, 0, 110, 0, 115, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\A
U\NoAutoRebootWithLoggedOnUsers
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\A
U\RescheduleWaitTimeEnabled
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\T
argetGroupEnabled
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Small Business Server Client Computer
                KeyName:     software\policies\microsoft\windows\network connect
ions\NC_ShowSharedAccessUI
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\A
U\DetectionFrequency
                Value:       22, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\A
U\RebootRelaunchTimeoutEnabled
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\W
UServer
                Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0
, 119, 0, 101, 0, 115, 0, 116, 0, 111, 0, 110, 0, 101, 0, 45, 0, 115, 0, 101, 0,
 114, 0, 118, 0, 101, 0, 114, 0, 58, 0, 56, 0, 53, 0, 51, 0, 48, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\A
U\ScheduledInstallDay
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Small Business Server Client Computer
                KeyName:     software\policies\microsoft\windows\network connect
ions\NC_AllowNetBridge_NLA
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\A
U\UseWUServer
                Value:       1, 0, 0, 0
                State:       Enabled


USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=MYDOMAIN,DC=local
    Last time Group Policy was applied: 06/06/2010 at 12:06:00
    Group Policy was applied from:      MYDOMAIN-SERVER.MYDOMAIN.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        MYDOMAIN
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Small Business Server Client Computer
            Filtering:  Not Applied (Empty)

        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Small Business Server Windows Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PostSP2

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Domain Admins
        Group Policy Creator Owners
        SMSMSE Admins
        Schema Admins
        SBS Mobile Users
        SBS Report Users
        Enterprise Admins
        Offer Remote Assistance Helpers

    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Shut down the system
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Enable computer and user accounts to be trusted for delegation
        Add workstations to domain

    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Local Group Policy
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer\NoAddPrinter
                State:       disabled

            GPO: Local Group Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\Printers\Poi
ntAndPrint\TrustedServers
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\Printers\Poi
ntAndPrint\InForest
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\Printers\Poi
ntAndPrint\ServerList
                State:       disabled

            GPO: Local Group Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\Printers\Poi
ntAndPrint\Restricted
                Value:       0, 0, 0, 0
                State:       Enabled

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            GPO: Default Domain Policy
                Large Animated Bitmap Name:      N/A
                Large Custom Logo Bitmap Name:   N/A
                Title BarText:                   West One UK Ltd
                UserAgent Text:                  N/A
                Delete existing toolbar buttons: No

        Internet Explorer Connection
        ----------------------------
            HTTP Proxy Server:   N/A
            Secure Proxy Server: N/A
            FTP Proxy Server:    N/A
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        No
            Use same Proxy:      No

        Internet Explorer URLs
        ----------------------
            GPO: Default Domain Policy
                Home page URL:           http://www.google.co.uk
                Search page URL:         N/A
                Online support page URL: N/A

        Internet Explorer Security
        --------------------------
            Always Viewable Sites:     N/A
            Password Override Enabled: False

            GPO: Default Domain Policy
                Import the current Content Ratings Settings:      No
                Import the current Security Zones Settings:       No
                Import current Authenticode Security Information: No
                Enable trusted publisher lockdown:                No

        Internet Explorer Programs
        --------------------------
            GPO: Default Domain Policy
                Import the current Program Settings: No

C:\Documents and Settings\Administrator>

Open in new window


I have been testing by deliberately logging with wrong passwords and after 11 wrong passwords I can still log in with the correct one?

A lot info I know but it seems to be required from other threads i've read.
Thanks all  :)
Comment
Watch Question

Author

Commented:
Sorry didnt mean to add question to Stores & Carts ;)
Hi,
I think that you haven't defined in your domain controller how many tries a user has untill he locks his account. You can check that following this steps:
-open administrative tools in your domain controller and click on Domain security policy
-Under security settings choose Account lock out policy
-On your right you will see: Account lockout threshold.. right clik on it and choose how many tries you want untill the account will lock. Hope it helps you
you have account lockout duration of 10 minutes.. that means after account will be unlocked automatically
that is why you are able to log in
change this value to 0 that requires administrator to unlock account once locked.. alos i will set the invalid attempts to 5 or 3 just to be more secure...
and reset account lock out counter to some 30 minutes.

Author

Commented:
But I am able to log in straight away, I thought the 10 minute duration would mean that I should not be able to log in until 10 minutes has passed.

Author

Commented:
But I am able to log in straight away, I thought the 10 minute duration would mean that I should not be able to log in until 10 minutes has passed.

Author

Commented:
I have adjusted the settings as below, correct ?
GPO-Account-lockout.jpg

Author

Commented:
Still no joy, the account is never locked no matter how many incorrect logins.
Author of the Year 2011
Top Expert 2006
Commented:
Leigh2004,
By Design, the "Administrator" account cannot be locked out - for all of the obvious reasons.
To my knowledge, that goes all the way back to Windows NT.
Already answered by younghv, account lockout policies do not affect the built-in Administrator account. Test with a user account.
Hello

If you think that administrator account is target of atack you can rename it as user lambda, then create an administrator as copy of guest. Put a strong password on it. That account will be locked by GPO.

Dan

Commented:
hello
 
I need some ugent help.I have an administrator account that needs to be excluded from my existing lock  out policy.This is a special administrator account created  maily to run services for a certain deployment application.I run windows server 2008 R2 AD.How do i set a policy or exclude this account from locking out , just like my enterprise administrator account?
Hello
FIrst is not ok to put a question in a closed one.
Seccond: no account can be excluded from this GPO, but the administrator account can't be looked. So:
even you run your apps using Domain Admin account, even you configure to run as a service.

Dan

Commented:
ooh sorry, im a new user here , i was not aware i was asking on a comment but i asked again.my apologies.