<div>
Yeah not sure if the user is telling the truth or not. Some days it happens, others it doesn't. <br />
<br />
Thanks for mentioning PSO, I looked into it just now and doesn't appear to be anything in there (I'm looking in ADSI edit) in the Password Settings Container....<br />
<br />
Thinking I should great a GPO just for this user and give 30 attempts within 5 hrs to see if it manages to get locked out again. <br />
<br />
Event log source indicates that it is the local user's machine so ....
</div>


<div>
&gt; Thinking I should great a GPO just for this user<br />
You can't. Password policies are for computers, not for users. But can create a PSO just for him.
</div>


<div>
@sarang_tinguria: the password policies effective at the client don't matter, it's a domain account, so the policies effective at the DC matter as the others only effect local accounts.
</div>


<div>
@McKnife: <br />
<br />
That's correct, so the end user has a remote session open. This is either a VPN, a service running as the user, or a logon attempt with cached logons from the local computer. SINCE the user gets ONE change before lockout, it leads me to believe this is a CACHED OLD account in Credential Manager that could be wiped out. This is why as a domain admin, I set policy to Prevent Managed credentials on anyone's computer within the domain. That's the very reason that policy exists. <br />
<br />
Your thoughts?
</div>


<div>
No thoughts yet, waiting for his test to complete :)
</div>


<div>
It appears it was user error all along but these techniques and tools have helped me determine the cause (along with end-user admitting it) and should be of great use going forward. <br />
<br />
Thanks again
</div>


<div>
<div class="content wysiwyg-content">
I have a user that when they login first thing in the morning, if they mis-type their password once, it locks out their account. Even though the Group Policy indicates it is 5 times threshold, it only takes them 1 bad password attempt before they're locked out.<br />
<br />
Is there a hotfix or possible a local GPO that could be overriding the domain policy?<br />
<br />
Windows 7 / ADWin Server 2008
</div>
</div>


I have a user that when they login first thing in the morning, if they mis-type their password once, it locks out their account. Even though the Group Policy indicates it is 5 times threshold, it only takes them 1 bad password attempt before they're locked out.

Is there a hotfix or possible a local GPO that could be overriding the domain policy?

Windows 7 / ADWin Server 2008

Account locked out due to 5 login attempts, after 1 attempt

Windows 7 is an operating system from Microsoft. Features include multi-touch support, a redesigned Windows Shell with a new taskbar, referred to as the Superbar, a home networking system called HomeGroup, and performance improvements.

Windows 7

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.