bnussbaum
asked on
Account lockout duration not using updated time.
We are running server 2008 r2 and have an account lockout duration setup in group policy. Originally it was set for 30 min. but we changed it to 99000 minutes. We've made the change several weeks ago but accounts are still using the old 30 min. lockout duration time. I ran a rsop on several computers and they show they are using the new lockout duration time, but the accounts are still being unlocked after 30 min. Below are the settings we use. Any ideas?
Account lockout duration 99000 minutes
Account lockout threshold 3 invalid logon attempts
Reset account lockout counter after 5 minutes
Account lockout duration 99000 minutes
Account lockout threshold 3 invalid logon attempts
Reset account lockout counter after 5 minutes
Making a gpudate /force on workstations gets new values or remain on 30 minutes?
ASKER
That didn't work. When I run RSOP.msc on any computer they show they are using the new lockout duration time.
Can you provide the value of the following key:
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\Rem oteAccess\ Parameters \AccountLo ckout
HKEY_LOCAL_MACHINE\SYSTEM\
Also, please mention what is the client OS?
It's hard to say if the whole environment is not described...
Since you have taken the RSOP, can you please also have a look at Group Policy Operational Logs? That will give you a clearer picture of what exactly is happening.
Please also check the Registry Key previously mentioned.
A
It's hard to say if the whole environment is not described...
Since you have taken the RSOP, can you please also have a look at Group Policy Operational Logs? That will give you a clearer picture of what exactly is happening.
Please also check the Registry Key previously mentioned.
A
ASKER
It is a server 2008 R2 domain and all computers are running windows 7. I have found I had to edit the local security policy on the domain controller to change this.
Well, that is a start. But, what are you seeing on the clients in the registry key?
ASKER
I've check on several computer and the MaxDenials key is set to 0 and the reset time is 2800.
Would you be open to try to set the Registry via Group Policy Preferences?
ASKER
Yes I can do that.
Please see the link below:
http://www.grouppolicy.biz/tag/group-policy-preferences/
Go to the section:
How to use Group Policy to change the Drive Letters position in Windows Explorer
This has an example how to set the desired registry key to achieve the result. My suggestion is to isolate one machine in a OU & test on it, if you get the desired result then roll it out.
http://www.grouppolicy.biz/tag/group-policy-preferences/
Go to the section:
How to use Group Policy to change the Drive Letters position in Windows Explorer
This has an example how to set the desired registry key to achieve the result. My suggestion is to isolate one machine in a OU & test on it, if you get the desired result then roll it out.
Hi,
Did you get time to try?
A
Did you get time to try?
A
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When I edited the local security policy on the domain controller it fixed this issue.