oandosupport
asked on
Account Lockout Issue
We have 2008 R2 AD / Windows 2003 AD environment. We modified account lockout policy by changing reset account lockout counter to 0. We did this because we want users to call helpdesk instead of waiting for 5 minutes.
We had to revert because over 50% of our users were locked out. What could be the issue? GPO was modified on Win 2003 AD.
We had to revert because over 50% of our users were locked out. What could be the issue? GPO was modified on Win 2003 AD.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The only bad thing is that "0" doesn't work for the "Reset Account
lockout counter after" setting.
Saraf
lockout counter after" setting.
Saraf
ASKER
I got the question all wrong.
Account lockout duration was set to 0,
account lockout threshold was set to 3 invalid logons
and reet account lockout after was set to 2 minutes
All accounts got locked out.
Account lockout duration was set to 0,
account lockout threshold was set to 3 invalid logons
and reet account lockout after was set to 2 minutes
All accounts got locked out.
So now that's sorted out..
by changing account lockout duration...
Congrats.
Saraf
by changing account lockout duration...
Congrats.
Saraf
Many people forget that any phones using active sync also authenticate against the domain and cause accounts to lock out.
ASKER
we still have a lot of users with accounts locked out. Our policy states that all users must contact helpdesk before their accounts are locked out. what is the effect of account lockout duration of 0 vs 60?
Account Lockout Duration. If someone violates the lockout controls, Account lockout duration sets the length of time the account is locked. The lockout duration can be set to a specific length of time using a value between 1 and 99,999 minutes.
The best security policy is to lock the account indefinitely by setting the lockout duration to zero. When this is done, only an administrator can unlock the account. This will prevent hackers from trying to access the system again and will force users who are locked out to seek help from an administrator, which is usually a good idea. By talking to the user, the administrator can determine what the user is doing wrong and help the user avoid problems.
Saraf
The best security policy is to lock the account indefinitely by setting the lockout duration to zero. When this is done, only an administrator can unlock the account. This will prevent hackers from trying to access the system again and will force users who are locked out to seek help from an administrator, which is usually a good idea. By talking to the user, the administrator can determine what the user is doing wrong and help the user avoid problems.
Saraf
ASKER
The strange thing is, all users were fine until we change the account lockout duration to 0. This shouldn't cause accounts to lockout, should it?
Have you tried using the account lockout and management tool that I suggested?
ASKER
Yes I did. It's kinda strange. It shows my account as locked out on some DCs in different sites. Is there a tool to unlock all accounts?
In Lockoutstatus you can right-click the DC where the user is locked and select 'Unlock'
This needs to be done for each DC as you cannot unlock on different DC's simultaneously
This needs to be done for each DC as you cannot unlock on different DC's simultaneously
You should always "unlock" an account on the DC hosting the PDC role to ensure the account doesnt get relocked. You could also have AD replication issues (check the time on every DC is consistent and within 600 seconds of the PDC)
There is obviously something wrong with your replication if your Account is only locked on some DC's. You can download a trial of Manage Engine's - ADManager Plus to unlock multiple accounts at the same time. Download Link
ASKER
the tool helped in unlocking accounts.
To achieve what you want, set Account Lockout Threshold to 1 and Account Lockout Duration to 0, meaning that the account will be locked out until an administrator explicitly unlocks it.
Reset Account Lockout Counter After may be set to a reasonably large number - the max is 99,999 minutes.