CheadleAcacademy
asked on
Account lockout issue
Hi all
We have a windows 2008R2 environment with Windows 7 workstations.
Default domain policy is set to the following
Account lockout threshold - Not defined
It was defined when we first created the domain as 3 incorrect passwords and would lock, we since turned this option off but the accounts still lockout after 3 incorrect logins.
We then tried to extend the number of incorrect logins to 999 still the same!
We changed it weeks ago to Not defined and have performed gpupdates on servers and workstations but all still locks out on 3 incorrect passwords
We have checked all through GP and there is no other reference anywhere for password lockouts
Any help greatly appreciated
We have a windows 2008R2 environment with Windows 7 workstations.
Default domain policy is set to the following
Account lockout threshold - Not defined
It was defined when we first created the domain as 3 incorrect passwords and would lock, we since turned this option off but the accounts still lockout after 3 incorrect logins.
We then tried to extend the number of incorrect logins to 999 still the same!
We changed it weeks ago to Not defined and have performed gpupdates on servers and workstations but all still locks out on 3 incorrect passwords
We have checked all through GP and there is no other reference anywhere for password lockouts
Any help greatly appreciated
pls try with rsop.msc (or gpresult /z) on a client computer with a user account. The result will show the resultant gpo setting and where does it come from.
ASKER
Thanks for that, It is set at root level.
Ran the RSoP and it states Not Defined for Account Lockout Policy
Thanks
Ran the RSoP and it states Not Defined for Account Lockout Policy
Thanks
Any chance fine grained passwords have been defined for groups or users. That is a feature available in 2008.
Thanks
Mike
Thanks
Mike
ASKER
Not sure what or where fine grained passwords are sorry?
Also ran gpresult /a and none stated for account lockout
Cheers
Also ran gpresult /a and none stated for account lockout
Cheers
No problem more on PSO settings here http://technet.microsoft.com/en-us/library/cc770848(WS.10).aspx
Thanks
Mike
Thanks
Mike
@neothwin
> pls try with rsop.msc (or gpresult /z) on a client computer with a user account. The result will show the resultant gpo setting and where does it come from.
No. This will show the active policy for local accounts, not domain accounts (yes, those could be the same, but don't have to).
@CheadleAcacademy
Perform rsop.msc right on your domain controller. I think there is another policy with active settings that precede over the DDP.
> pls try with rsop.msc (or gpresult /z) on a client computer with a user account. The result will show the resultant gpo setting and where does it come from.
No. This will show the active policy for local accounts, not domain accounts (yes, those could be the same, but don't have to).
@CheadleAcacademy
Perform rsop.msc right on your domain controller. I think there is another policy with active settings that precede over the DDP.
ASKER
hi still says not defined directly on the server?
cheers
cheers
ASKER
checked the attributes for fine grained password and it is set to 0 in there as well
Strange. Please logon to a DC and fire the command
net accounts
What's the output?
net accounts
What's the output?
ASKER
Cheers, Done net accounts and it states lockout threshold 3
so it is there somewhere?
so it is there somewhere?
There is something broken.
Maybe you are able to use the command line to modify it (again at a domain controller):
net accounts /lockoutthreshold:10
This will relect not only the next time you use net accounts without parameters but even the next time you open up your password policy as I could just test on my lab DC.
Maybe you are able to use the command line to modify it (again at a domain controller):
net accounts /lockoutthreshold:10
This will relect not only the next time you use net accounts without parameters but even the next time you open up your password policy as I could just test on my lab DC.
ASKER
Ok, I have now set the following command:-
net accounts /lockoutthreshold:0
This has stopped the accounts getting locked out so thanks for that, will this be a perminant sollution or is it something we would have to do if we restart the server?
Cheers
Jon
net accounts /lockoutthreshold:0
This has stopped the accounts getting locked out so thanks for that, will this be a perminant sollution or is it something we would have to do if we restart the server?
Cheers
Jon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Very very helpfull.
Thanks very much
Thanks very much
Thanks
Mike