VIBT
asked on
AD Account Lockout Not Working
I am having a problem getting my account lockout policy to work.
I have a setting in my Default Domain Policy in my Server 2008 Active Directory domain configured as follows:
Account Policies/Account Lockout Policy
Policy Setting Winning GPO
Account lockout duration 30 minutes Default Domain Policy
Account lockout threshold 5 invalid logon attempts Default Domain Policy
Reset account lockout counter after 30 minutes Default Domain Policy
I have confirmed the settings are active by running the Group Policy Results Wizard on the domain controller for the machines and logon IDs I am testing. I have also confirmed the settings on all machines using the "net accounts" command with the following results:
C:\>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 30
Maximum password age (days): 90
Minimum password length: 8
Length of password history maintained: 4
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.
However, when testing, the accounts never get locked out. I do six invalid attempts and the OS pauses for about 15-30 seconds, then it lets me try again. On one account, I tried 31 invalid attempts within about 3-5 minutes and it still let me login after that.
I have confirmed that this is not confined to a single machine, server, or user account. The same lockout information is displayed using "net accounts" on 5 different workstations and 3 servers. All 8 machines tested do not lock out the accounts used.
Any ideas on the potential cause or hints on where I can look to troubleshoot this?
Thanks!
I have a setting in my Default Domain Policy in my Server 2008 Active Directory domain configured as follows:
Account Policies/Account Lockout Policy
Policy Setting Winning GPO
Account lockout duration 30 minutes Default Domain Policy
Account lockout threshold 5 invalid logon attempts Default Domain Policy
Reset account lockout counter after 30 minutes Default Domain Policy
I have confirmed the settings are active by running the Group Policy Results Wizard on the domain controller for the machines and logon IDs I am testing. I have also confirmed the settings on all machines using the "net accounts" command with the following results:
C:\>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 30
Maximum password age (days): 90
Minimum password length: 8
Length of password history maintained: 4
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.
However, when testing, the accounts never get locked out. I do six invalid attempts and the OS pauses for about 15-30 seconds, then it lets me try again. On one account, I tried 31 invalid attempts within about 3-5 minutes and it still let me login after that.
I have confirmed that this is not confined to a single machine, server, or user account. The same lockout information is displayed using "net accounts" on 5 different workstations and 3 servers. All 8 machines tested do not lock out the accounts used.
Any ideas on the potential cause or hints on where I can look to troubleshoot this?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Out of curiosity have you tried creating a new GPO. just for the PW policy, make sure that takes precedence. Does that cause issues too?
Thanks
Mike
Thanks
Mike
ASKER
I created a new GPO (2013.05.08 - Account Lockout Policy):
Lockout threshold: 7
Lockout duration (minutes): 22
Lockout observation window (minutes): 22
Set the Account lockout options in the Default Domain Policy to "Not Defined"
Ran the GPR (Group Policy Results) Wizard:
Account Policies/Account Lockout Policyhide
Policy Setting Winning GPO
Account lockout duration 22 minutes 2013.05.08 - ALP
Account lockout threshold 7 invalid logon attempts 2013.05.08 - ALP
Reset account lockout counter after 22 minutes 2013.05.08 - ALP
Net Accounts:
Lockout threshold: 7
Lockout duration (minutes): 22
Lockout observation window (minutes): 22
It still is not locking out the account even after 15 attempts.
Lockout threshold: 7
Lockout duration (minutes): 22
Lockout observation window (minutes): 22
Set the Account lockout options in the Default Domain Policy to "Not Defined"
Ran the GPR (Group Policy Results) Wizard:
Account Policies/Account Lockout Policyhide
Policy Setting Winning GPO
Account lockout duration 22 minutes 2013.05.08 - ALP
Account lockout threshold 7 invalid logon attempts 2013.05.08 - ALP
Reset account lockout counter after 22 minutes 2013.05.08 - ALP
Net Accounts:
Lockout threshold: 7
Lockout duration (minutes): 22
Lockout observation window (minutes): 22
It still is not locking out the account even after 15 attempts.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It looks like the policy is working. My issues resides with the "Bad Pwd Count" flag. A few accounts are being incremented and eventually get locked out, some never go above 1.
ASKER
There are no errors in the logs relating to Group Policy on the machines. The only Group Policy events I see on the machines are Informational event IDs 1502 & 1503:
1502: The Group Policy settings for the computer were processed successfully. New settings from XX Group Policy objects were detected and applied.
1503: The Group Policy settings for the user were processed successfully. New settings from XX Group Policy objects were detected and applied.
Thanks!