Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 721
  • Last Modified:

Account locked out due to 5 login attempts, after 1 attempt

I have a user that when they login first thing in the morning, if they mis-type their password once, it locks out their account. Even though the Group Policy indicates it is 5 times threshold, it only takes them 1 bad password attempt before they're locked out.

Is there a hotfix or possible a local GPO that could be overriding the domain policy?

Windows 7 / ADWin Server 2008
0
garryshape
Asked:
garryshape
  • 4
  • 2
  • 2
  • +3
5 Solutions
 
Mark DamenERP System ManagerCommented:
Use group policy modelling to see which is the effective policy controlling this setting.

http://technet.microsoft.com/en-us/library/01be191b-eef8-4f0e-b188-c9281d4a4fc5

That shows how to use the console.
0
 
McKnifeCommented:
Hi.

> Is there a hotfix or possible a local GPO that could be overriding the domain policy?
No, definitely not. The account lockout policy is in effect at the DC and only there. No local policies will influence domain accounts when it comes to lockouts. About hotfixes: bugs happen here and there, they don't even need hotfixes. That said: I never heard a hotfix did introduce that behavior.

You should make sure that in addition to the password policy there is no PSO active that might override the general settings. Do you know how to check for PSOs? [by the way: the GPO modeling will not tell you about PSOs]
0
 
garryshapeAuthor Commented:
Yeah not sure if the user is telling the truth or not. Some days it happens, others it doesn't.

Thanks for mentioning PSO, I looked into it just now and doesn't appear to be anything in there (I'm looking in ADSI edit) in the Password Settings Container....

Thinking I should great a GPO just for this user and give 30 attempts within 5 hrs to see if it manages to get locked out again.

Event log source indicates that it is the local user's machine so ....
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
McKnifeCommented:
> Thinking I should great a GPO just for this user
You can't. Password policies are for computers, not for users. But can create a PSO just for him.
0
 
ChiefITCommented:
Go to

Control Panel\All Control Panel Items\Credential Manager

and eliminate their old cached logon credentials. Reboot, and you should be fine. Also make sure they are not logged on elsewhere, to include through a VPN connection, or remote desktop.
0
 
Sarang TinguriaSr EngineerCommented:
can you run gpresult /h c:\gpreport.html and see what password policy is effective on client
0
 
Tushar_DarwatkarCommented:
Hello,

You can user the below account lockout tool which can give you detail information like when the account was locked out, the source and the attempts made as well.

http://www.netwrix.com/account_lockout_examiner.html
0
 
McKnifeCommented:
@sarang_tinguria: the password policies effective at the client don't matter, it's a domain account, so the policies effective at the DC matter as the others only effect local accounts.
0
 
ChiefITCommented:
@McKnife:

That's correct, so the end user has a remote session open. This is either a VPN, a service running as the user, or a logon attempt with cached logons from the local computer. SINCE the user gets ONE change before lockout, it leads me to believe this is a CACHED OLD account in Credential Manager that could be wiped out. This is why as a domain admin, I set policy to Prevent Managed credentials on anyone's computer within the domain. That's the very reason that policy exists.

Your thoughts?
0
 
McKnifeCommented:
No thoughts yet, waiting for his test to complete :)
0
 
garryshapeAuthor Commented:
It appears it was user error all along but these techniques and tools have helped me determine the cause (along with end-user admitting it) and should be of great use going forward.

Thanks again
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 4
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now