Active Directory
--
Questions
--
Followers
Top Experts
AD Account Lockout Not Working
I am having a problem getting my account lockout policy to work.
I have a setting in my Default Domain Policy in my Server 2008 Active Directory domain configured as follows:
Account Policies/Account Lockout Policy
Policy Setting Winning GPO
Account lockout duration 30 minutes Default Domain Policy
Account lockout threshold 5 invalid logon attempts Default Domain Policy
Reset account lockout counter after 30 minutes Default Domain Policy
I have confirmed the settings are active by running the Group Policy Results Wizard on the domain controller for the machines and logon IDs I am testing. I have also confirmed the settings on all machines using the "net accounts" command with the following results:
C:\>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 30
Maximum password age (days): 90
Minimum password length: 8
Length of password history maintained: 4
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.
However, when testing, the accounts never get locked out. I do six invalid attempts and the OS pauses for about 15-30 seconds, then it lets me try again. On one account, I tried 31 invalid attempts within about 3-5 minutes and it still let me login after that.
I have confirmed that this is not confined to a single machine, server, or user account. The same lockout information is displayed using "net accounts" on 5 different workstations and 3 servers. All 8 machines tested do not lock out the accounts used.
Any ideas on the potential cause or hints on where I can look to troubleshoot this?
Thanks!
I have a setting in my Default Domain Policy in my Server 2008 Active Directory domain configured as follows:
Account Policies/Account Lockout Policy
Policy Setting Winning GPO
Account lockout duration 30 minutes Default Domain Policy
Account lockout threshold 5 invalid logon attempts Default Domain Policy
Reset account lockout counter after 30 minutes Default Domain Policy
I have confirmed the settings are active by running the Group Policy Results Wizard on the domain controller for the machines and logon IDs I am testing. I have also confirmed the settings on all machines using the "net accounts" command with the following results:
C:\>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 30
Maximum password age (days): 90
Minimum password length: 8
Length of password history maintained: 4
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.
However, when testing, the accounts never get locked out. I do six invalid attempts and the OS pauses for about 15-30 seconds, then it lets me try again. On one account, I tried 31 invalid attempts within about 3-5 minutes and it still let me login after that.
I have confirmed that this is not confined to a single machine, server, or user account. The same lockout information is displayed using "net accounts" on 5 different workstations and 3 servers. All 8 machines tested do not lock out the accounts used.
Any ideas on the potential cause or hints on where I can look to troubleshoot this?
Thanks!
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
We had a separate account lockout GPO put in place several months ago recently discovered but the Default Domain Policy was taking precedence. Late last week we moved the settings into the Default Domain Policy and have been testing/troubleshooting this issue ever since.
There are no errors in the logs relating to Group Policy on the machines. The only Group Policy events I see on the machines are Informational event IDs 1502 & 1503:
1502: The Group Policy settings for the computer were processed successfully. New settings from XX Group Policy objects were detected and applied.
1503: The Group Policy settings for the user were processed successfully. New settings from XX Group Policy objects were detected and applied.
Thanks!
There are no errors in the logs relating to Group Policy on the machines. The only Group Policy events I see on the machines are Informational event IDs 1502 & 1503:
1502: The Group Policy settings for the computer were processed successfully. New settings from XX Group Policy objects were detected and applied.
1503: The Group Policy settings for the user were processed successfully. New settings from XX Group Policy objects were detected and applied.
Thanks!
Out of curiosity have you tried creating a new GPO. just for the PW policy, make sure that takes precedence. Does that cause issues too?
Thanks
Mike
Thanks
Mike
I created a new GPO (2013.05.08 - Account Lockout Policy):
Lockout threshold: 7
Lockout duration (minutes): 22
Lockout observation window (minutes): 22
Set the Account lockout options in the Default Domain Policy to "Not Defined"
Ran the GPR (Group Policy Results) Wizard:
Account Policies/Account Lockout Policyhide
Policy Setting Winning GPO
Account lockout duration 22 minutes 2013.05.08 - ALP
Account lockout threshold 7 invalid logon attempts 2013.05.08 - ALP
Reset account lockout counter after 22 minutes 2013.05.08 - ALP
Net Accounts:
Lockout threshold: 7
Lockout duration (minutes): 22
Lockout observation window (minutes): 22
It still is not locking out the account even after 15 attempts.
Lockout threshold: 7
Lockout duration (minutes): 22
Lockout observation window (minutes): 22
Set the Account lockout options in the Default Domain Policy to "Not Defined"
Ran the GPR (Group Policy Results) Wizard:
Account Policies/Account Lockout Policyhide
Policy Setting Winning GPO
Account lockout duration 22 minutes 2013.05.08 - ALP
Account lockout threshold 7 invalid logon attempts 2013.05.08 - ALP
Reset account lockout counter after 22 minutes 2013.05.08 - ALP
Net Accounts:
Lockout threshold: 7
Lockout duration (minutes): 22
Lockout observation window (minutes): 22
It still is not locking out the account even after 15 attempts.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
It looks like the policy is working. My issues resides with the "Bad Pwd Count" flag. A few accounts are being incremented and eventually get locked out, some never go above 1.
Active Directory
--
Questions
--
Followers
Top Experts
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.