Solved

"Bad Pwd Count" attribute not incrementing above "1" for many users

Posted on 2013-05-13
11
2,588 Views
Last Modified: 2013-06-18
I recently began troubleshooting an issue with our Domain Account Lockout policy which appeared not to be working.  It turns out, that the policy is working and a few accounts will actually get locked out.

However, many of the accounts in my domain never have the "Bad Pwd Count" attribute increment over 1 - no matter how many bad passwords they enter.

Dumping the badpwdcount value for all the users in the domain shows a mix mostly of 0 & 1.
The 0 & 1 values do not correlate with the account's ability to increment the badpwdcount.  (Some 0's & some 1's will increment over 1, while some of each will not increment over 1.)
We are testing the badpwdcount increment with random characters - nothing that should be in the PWD History [N-2] and hence excluded from incrementing the attribute.

I am at a loss to explain why some account have their badpwdcount attribute incremented and some do not.

Any suggestions on further troubleshooting/solutions?

Thanks!
0
Comment
Question by:VIBT
  • 6
  • 3
  • 2
11 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 39162475
Well... you don't even mention important details like the "reset account lockout counter after" policy. That resets the counter all the time if set.
0
 

Author Comment

by:VIBT
ID: 39162596
Sorry, here are the account lockout policy specifics defined in a separate policy from Default Domain Policy (applied to "Authenticated Users").  These settings are "Not Defined" in the Default Domain policy.  We experienced the same behavior when the settings were in the Default Domain Policy.

Account Policies/Account Lockout Policy
    Policy                                                       Setting
Account lockout duration                      22 minutes
Account lockout threshold                     7 invalid logon attempts
Reset account lockout counter after    22 minutes
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39162641
To complete your reply: so you are sure your effect cannot be due to the counter reset that comes after 22 minutes?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:VIBT
ID: 39162704
When we do our testing for this, we actively watch the counter with the lockoutstatus.exe tool from microsoft.

We will do several "passes" in a row.  Each pass consists of one bad password attempt and a rescan with the lockoutstatus tool to show the updated badpwdcount.  We test at least 3 passes, but have tested 15 passes in well under the unlock threshold.  The accounts that do not increment over "1" remain at "1" even after the reset counter time frame has passed.

The user I had tested right before I first posted this question at 11:52 showed the count at "1".  Refreshing now at 2:15 shows the count still at "1".
0
 
LVL 1

Expert Comment

by:gjeff80
ID: 39208967
I am working with MS PSS right now on this same exact issue.  We have the same issue going on right now.
0
 

Author Comment

by:VIBT
ID: 39208995
That is good to know that we are not the only ones having the issue.  I also have opened a case with Microsoft.  I have had several remote sessions with them over the last 2 weeks and they have now engaged several tech leads to see if they can resolve it.

If you get a resolution on this, please post it here.  I will do the same.
0
 
LVL 1

Assisted Solution

by:gjeff80
gjeff80 earned 500 total points
ID: 39241896
So i ended up finding what was causing this problem in our domain..   Are you by chance running 2008 for your domain level?  Someone went and created a Fine Grained Password policy in our domain which ended up being configured incorrectly and it was taking precedence over the domain policy.  You can check this through Active Directory Administrative Center (or by drilling through ADSIEDIT.MSC).  Once we deleted the bad policy our badPwdCount started incrementing again.
0
 

Author Comment

by:VIBT
ID: 39244945
We are running 2008 for the domain level and I looked online for instructios for creating a PSO.

http://technet.microsoft.com/en-us/library/cc754461%28v=ws.10%29.aspx#BKMK_1

I drilled down into the Password Settings Container and it looks like there WAS one created in February of 2012.

A note from the technet article:
Important
To disable account lockout policies, assign the msDS-LockoutThreshold attribute the value of 0.
Guess what is set to 0...

I'm going to do some more investigating into this as to why it was created and the settings and will report back with my findings.

Thanks for the heads up!  You may have just found my solution!!
0
 

Accepted Solution

by:
VIBT earned 0 total points
ID: 39245270
Drilling down in adsiedit.msc to

DC=<domain_name>
CN=System
CN=Password Settings Container

I confirmed we had a Fine Grained Password Policy Object with the msDS-LockoutThreshold attribute set to 0.

I edited the  msDS-PSOAppliesTo attribute and removed the listed security group.  I then confirmed that the BadPWDCount user attribute was now increasing for my affected accounts (they were members of the group).

We have since removed the Fine Grained Password object and the lockout policy is working as expected.

Thanks gjeff80 for the heads up!
0
 
LVL 1

Expert Comment

by:gjeff80
ID: 39247291
Fantastic, I let me PSS engineer know this was the problem too, so I'm sure microsoft will log it in their database now :)
0
 

Author Closing Comment

by:VIBT
ID: 39255610
I chose my solution as part of the answer as I gave more detail as to the location of the problem.  I gave all points to gjeff80 for pointing me in the right direction.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question