Solved

Account lockout duration not using updated time.

Posted on 2011-09-19
13
455 Views
Last Modified: 2012-05-12
We are running server 2008 r2 and have an account lockout duration setup in group policy.  Originally it was set for 30 min. but we changed it to 99000 minutes.  We've made the change several weeks ago but accounts are still using the old 30 min. lockout duration time.  I ran a rsop on several computers and they show they are using the new lockout duration time, but the accounts are still being unlocked after 30 min.  Below are the settings we use.  Any ideas?

Account lockout duration 99000 minutes
Account lockout threshold 3 invalid logon attempts
Reset account lockout counter after 5 minutes
0
Comment
Question by:bnussbaum
  • 7
  • 5
13 Comments
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 36560833
Making a gpudate /force on workstations gets new values or remain on 30 minutes?
0
 

Author Comment

by:bnussbaum
ID: 36562153
That didn't work.  When I run RSOP.msc on any computer they show they are using the new lockout duration time.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36567938
Can you provide the value of the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36568650
Also, please mention what is the client OS?
It's hard to say if the whole environment is not described...

Since you have taken the RSOP, can you please also have a look at Group Policy Operational Logs? That will give you a clearer picture of what exactly is happening.

Please also check the Registry Key previously mentioned.

A
0
 

Author Comment

by:bnussbaum
ID: 36569653
It is a server 2008 R2 domain and all computers are running windows 7.  I have found I had to edit the local security policy on the domain controller to change this.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36569661
Well, that is a start. But, what are you seeing on the clients in the registry key?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:bnussbaum
ID: 36569918
I've check on several computer and the MaxDenials key is set to 0 and the reset time is 2800.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36569928
Would you be open to try to set the Registry via Group Policy Preferences?
0
 

Author Comment

by:bnussbaum
ID: 36570040
Yes I can do that.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36570076
Please see the link below:

http://www.grouppolicy.biz/tag/group-policy-preferences/

Go to the section:
How to use Group Policy to change the Drive Letters position in Windows Explorer

This has an example how to set the desired registry key to achieve the result. My suggestion is to isolate one machine in a OU & test on it, if you get the desired result then roll it out.

0
 
LVL 11

Expert Comment

by:Ackles
ID: 37095736
Hi,
Did you get time to try?
A
0
 
LVL 11

Accepted Solution

by:
Ackles earned 500 total points
ID: 37140534
Any news?

A
0
 

Author Comment

by:bnussbaum
ID: 37286386
When I edited the local security policy on the domain controller it fixed this issue.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now