asked on

Account Lockout Issue

We have 2008 R2 AD / Windows 2003 AD environment. We modified account lockout policy by changing reset account lockout counter to 0. We did this because we want users to call helpdesk instead of waiting for 5 minutes.

We had to revert because over 50% of our users were locked out. What could be the issue? GPO was modified on Win 2003 AD.

undejj

I think you mean that you set Reset Account Lockout Counter After to 0, meaning that the account lockout counter never resets because the value is in units of minutes.

To achieve what you want, set Account Lockout Threshold to 1 and Account Lockout Duration to 0, meaning that the account will be locked out until an administrator explicitly unlocks it.

Reset Account Lockout Counter After may be set to a reasonably large number - the max is 99,999 minutes.

ASKER CERTIFIED SOLUTION

Hendrik Wiese

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

saraf1000

The only bad thing is that "0" doesn't work for the "Reset Account
lockout counter after" setting.

Saraf

oandosupport

ASKER

I got the question all wrong.
Account lockout duration was set to 0,
account lockout threshold was set to 3 invalid logons
and reet account lockout after was set to 2 minutes

All accounts got locked out.

saraf1000

So now that's sorted out..
by changing account lockout duration...

Congrats.

Saraf

Radweld

Many people forget that any phones using active sync also authenticate against the domain and cause accounts to lock out.

oandosupport

ASKER

we still have a lot of users with accounts locked out. Our policy states that all users must contact helpdesk before their accounts are locked out. what is the effect of account lockout duration of 0 vs 60?

saraf1000

Account Lockout Duration. If someone violates the lockout controls, Account lockout duration sets the length of time the account is locked. The lockout duration can be set to a specific length of time using a value between 1 and 99,999 minutes.

The best security policy is to lock the account indefinitely by setting the lockout duration to zero. When this is done, only an administrator can unlock the account. This will prevent hackers from trying to access the system again and will force users who are locked out to seek help from an administrator, which is usually a good idea. By talking to the user, the administrator can determine what the user is doing wrong and help the user avoid problems.

Saraf

oandosupport

ASKER

The strange thing is, all users were fine until we change the account lockout duration to 0. This shouldn't cause accounts to lockout, should it?

Hendrik Wiese

Have you tried using the account lockout and management tool that I suggested?

oandosupport

ASKER

Yes I did. It's kinda strange. It shows my account as locked out on some DCs in different sites. Is there a tool to unlock all accounts?

Marc Smets

In Lockoutstatus you can right-click the DC where the user is locked and select 'Unlock'

This needs to be done for each DC as you cannot unlock on different DC's simultaneously

Radweld

You should always "unlock" an account on the DC hosting the PDC role to ensure the account doesnt get relocked. You could also have AD replication issues (check the time on every DC is consistent and within 600 seconds of the PDC)

Hendrik Wiese

There is obviously something wrong with your replication if your Account is only locked on some DC's. You can download a trial of Manage Engine's - ADManager Plus to unlock multiple accounts at the same time. Download Link

oandosupport

ASKER

the tool helped in unlocking accounts.