Link to home
Start Free TrialLog in
Avatar of VIBT
VIBTFlag for United States of America

asked on

AD Account Lockout Not Working

I am having a problem getting my account lockout policy to work.

I have a setting in my Default Domain Policy in my Server 2008 Active Directory domain configured as follows:

Account Policies/Account Lockout Policy
Policy                                                        Setting                                    Winning GPO
Account lockout duration                       30 minutes                            Default Domain Policy
Account lockout threshold                     5 invalid logon attempts      Default Domain Policy
Reset account lockout counter after     30 minutes                            Default Domain Policy

I have confirmed the settings are active by running the Group Policy Results Wizard on the domain controller for the machines and logon IDs I am testing.  I have also confirmed the settings on all machines using the "net accounts" command with the following results:

C:\>net accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                                 30
Maximum password age (days):                                90
Minimum password length:                                       8
Length of password history maintained:                  4
Lockout threshold:                                                      5
Lockout duration (minutes):                                      30
Lockout observation window (minutes):                  30
Computer role:                                                            WORKSTATION
The command completed successfully.

However, when testing, the accounts never get locked out.  I do six invalid attempts and the OS pauses for about 15-30 seconds, then it lets me try again.  On one account, I tried 31 invalid attempts within about 3-5 minutes and it still let me login after that.

I have confirmed that this is not confined to a single machine, server, or user account.  The same lockout information is displayed using "net accounts" on 5 different workstations and 3 servers.  All 8 machines tested do not lock out the accounts used.

Any ideas on the potential cause or hints on where I can look to troubleshoot this?

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of VIBT

ASKER

We had a separate account lockout GPO put in place several months ago recently discovered but the Default Domain Policy was taking precedence.  Late last week we moved the settings into the Default Domain Policy and have been testing/troubleshooting this issue ever since.

There are no errors in the logs relating to Group Policy on the machines.  The only Group Policy events I see on the machines are Informational event IDs 1502 & 1503:

1502: The Group Policy settings for the computer were processed successfully. New settings from XX Group Policy objects were detected and applied.

1503: The Group Policy settings for the user were processed successfully. New settings from XX Group Policy objects were detected and applied.

Thanks!
Out of curiosity have you tried creating a new GPO. just for the PW policy, make sure that takes precedence.  Does that cause issues too?

Thanks

Mike
Avatar of VIBT

ASKER

I created a new GPO (2013.05.08 - Account Lockout Policy):
     Lockout threshold:                                    7
     Lockout duration (minutes):                           22
     Lockout observation window (minutes):       22
Set the Account lockout options in the Default Domain Policy to "Not Defined"

Ran the GPR (Group Policy Results) Wizard:

Account Policies/Account Lockout Policyhide
     Policy                                                       Setting                     Winning GPO
     Account lockout duration                     22 minutes                           2013.05.08 - ALP
     Account lockout threshold                    7 invalid logon attempts    2013.05.08 - ALP
     Reset account lockout counter after    22 minutes                          2013.05.08 - ALP

Net Accounts:
     Lockout threshold:                                                     7
     Lockout duration (minutes):                                     22
     Lockout observation window (minutes):                 22

It still is not locking out the account even after 15 attempts.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of VIBT

ASKER

It looks like the policy is working.  My issues resides with the "Bad Pwd Count" flag.  A few accounts are being incremented and eventually get locked out, some never go above 1.