Account locked out due to 5 login attempts, after 1 attempt

Posted on 2013-05-21
Last Modified: 2013-06-11
I have a user that when they login first thing in the morning, if they mis-type their password once, it locks out their account. Even though the Group Policy indicates it is 5 times threshold, it only takes them 1 bad password attempt before they're locked out.

Is there a hotfix or possible a local GPO that could be overriding the domain policy?

Windows 7 / ADWin Server 2008
Question by:garryshape
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
LVL 13

Accepted Solution

markusdamenous earned 100 total points
ID: 39185336
Use group policy modelling to see which is the effective policy controlling this setting.

That shows how to use the console.
LVL 54

Assisted Solution

McKnife earned 100 total points
ID: 39185949

> Is there a hotfix or possible a local GPO that could be overriding the domain policy?
No, definitely not. The account lockout policy is in effect at the DC and only there. No local policies will influence domain accounts when it comes to lockouts. About hotfixes: bugs happen here and there, they don't even need hotfixes. That said: I never heard a hotfix did introduce that behavior.

You should make sure that in addition to the password policy there is no PSO active that might override the general settings. Do you know how to check for PSOs? [by the way: the GPO modeling will not tell you about PSOs]

Author Comment

ID: 39186106
Yeah not sure if the user is telling the truth or not. Some days it happens, others it doesn't.

Thanks for mentioning PSO, I looked into it just now and doesn't appear to be anything in there (I'm looking in ADSI edit) in the Password Settings Container....

Thinking I should great a GPO just for this user and give 30 attempts within 5 hrs to see if it manages to get locked out again.

Event log source indicates that it is the local user's machine so ....
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

LVL 54

Expert Comment

ID: 39186122
> Thinking I should great a GPO just for this user
You can't. Password policies are for computers, not for users. But can create a PSO just for him.
LVL 38

Assisted Solution

ChiefIT earned 100 total points
ID: 39186185
Go to

Control Panel\All Control Panel Items\Credential Manager

and eliminate their old cached logon credentials. Reboot, and you should be fine. Also make sure they are not logged on elsewhere, to include through a VPN connection, or remote desktop.
LVL 18

Assisted Solution

by:Sarang Tinguria
Sarang Tinguria earned 100 total points
ID: 39186259
can you run gpresult /h c:\gpreport.html and see what password policy is effective on client

Assisted Solution

Tushar_Darwatkar earned 100 total points
ID: 39186505

You can user the below account lockout tool which can give you detail information like when the account was locked out, the source and the attempts made as well.
LVL 54

Expert Comment

ID: 39186701
@sarang_tinguria: the password policies effective at the client don't matter, it's a domain account, so the policies effective at the DC matter as the others only effect local accounts.
LVL 38

Expert Comment

ID: 39189164

That's correct, so the end user has a remote session open. This is either a VPN, a service running as the user, or a logon attempt with cached logons from the local computer. SINCE the user gets ONE change before lockout, it leads me to believe this is a CACHED OLD account in Credential Manager that could be wiped out. This is why as a domain admin, I set policy to Prevent Managed credentials on anyone's computer within the domain. That's the very reason that policy exists.

Your thoughts?
LVL 54

Expert Comment

ID: 39190256
No thoughts yet, waiting for his test to complete :)

Author Closing Comment

ID: 39239524
It appears it was user error all along but these techniques and tools have helped me determine the cause (along with end-user admitting it) and should be of great use going forward.

Thanks again

Featured Post

Increase your protection from Zero Day threats!

Running two Antivirus' is never a good idea.
Taking advantage of Multiple Security layers on the other hand can often save your hide.
See which top notch security software brands have been proven to happily coexist together.
Reduce your chances of becoming a statistic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question