?
Solved

Account lockout issue

Posted on 2011-10-14
15
Medium Priority
?
412 Views
Last Modified: 2012-05-12
Hi all

We have a windows 2008R2 environment with Windows 7 workstations.
Default domain policy is set to the following
Account lockout threshold - Not defined
It was defined when we first created the domain as 3 incorrect passwords and would lock, we since turned this option off but the accounts still lockout after 3 incorrect logins.
We then tried to extend the number of incorrect logins to 999 still the same!
We changed it weeks ago to Not defined and have performed gpupdates on servers and workstations but all still locks out on 3 incorrect passwords
We have checked all through GP and there is no other reference anywhere for password lockouts
Any help greatly appreciated
0
Comment
Question by:CheadleAcacademy
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36968869
Are you setting the setting on a GPO that is linked at the domain root level?   Also run an RSoP report just to make sure there is not another GPO that may have a conflicting setting.

Thanks

Mike
0
 
LVL 5

Expert Comment

by:neothwin
ID: 36968886
pls try with rsop.msc (or gpresult /z) on a client computer with a user account. The result will show the resultant gpo setting and where does it come from.
0
 

Author Comment

by:CheadleAcacademy
ID: 36968901
Thanks for that, It is set at root level.
Ran the RSoP and it states Not Defined for Account Lockout Policy
Thanks
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 36968925
Any chance fine grained passwords have been defined for groups or users.  That is a feature available in 2008.

Thanks

Mike
0
 

Author Comment

by:CheadleAcacademy
ID: 36968977
Not sure what or where fine grained passwords are sorry?
Also ran gpresult /a and none stated for account lockout
Cheers
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36969011
No problem more on PSO settings here   http://technet.microsoft.com/en-us/library/cc770848(WS.10).aspx

Thanks

Mike
0
 
LVL 58

Expert Comment

by:McKnife
ID: 36972914
@neothwin
> pls try with rsop.msc (or gpresult /z) on a client computer with a user account. The result will show the resultant gpo setting and where does it come from.
No. This will show the active policy for local accounts, not domain accounts (yes, those could be the same, but don't have to).

@CheadleAcacademy
Perform rsop.msc right on your domain controller. I think there is another policy with active settings that precede over the DDP.
0
 

Author Comment

by:CheadleAcacademy
ID: 36975570
hi still says not defined directly on the server?
cheers
0
 

Author Comment

by:CheadleAcacademy
ID: 36975582
checked the attributes for fine grained password and it is set to 0 in there as well
0
 
LVL 58

Expert Comment

by:McKnife
ID: 36976323
Strange. Please logon to a DC and fire the command
net accounts
What's the output?
0
 

Author Comment

by:CheadleAcacademy
ID: 36977965
Cheers, Done net accounts and it states lockout threshold 3
so it is there somewhere?
0
 
LVL 58

Expert Comment

by:McKnife
ID: 36983058
There is something broken.
Maybe you are able to use the command line to modify it (again at a domain controller):
net accounts /lockoutthreshold:10
This will relect not only the next time you use net accounts without parameters but even the next time you open up your password policy as I could just test on my lab DC.
0
 

Author Comment

by:CheadleAcacademy
ID: 36984791
Ok, I have now set the following command:-
net accounts /lockoutthreshold:0
This has stopped the accounts getting locked out so thanks for that, will this be a perminant sollution or is it something we would have to do if we restart the server?
Cheers
Jon
0
 
LVL 58

Accepted Solution

by:
McKnife earned 2000 total points
ID: 36985148
That's easy to test.
net accounts will tell you what gets applied. So please do a gpupdate /force at the DC (no restart needed) and use "net accounts" again. If it still tells you threshold is 0, the change was permanent.
0
 

Author Closing Comment

by:CheadleAcacademy
ID: 36985184
Very very helpfull.
Thanks very much
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question