tiras gans
asked on
Account lockout policy issue
I am having a software conflict with Active Directory lockout policy. External users are login through the web site. If the account policy enabled their accounts get locked out. Something weird how software reacts on that. However, the issue is inconsistent.
What's the better way to test this? Create test users and put into test OU or need test Security Groups? I think OU is easier to put test users there/ Not sure if possible to link that policy into that OU.
Please advise.
Thank you!
What's the better way to test this? Create test users and put into test OU or need test Security Groups? I think OU is easier to put test users there/ Not sure if possible to link that policy into that OU.
Please advise.
Thank you!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
***************
What's the better way to test this? Create test users and put into test OU or need test Security Groups? I think OU is easier to put test users there/ Not sure if possible to link that policy into that OU.
*************
Easier to test by isolating the external users and putting the "external test" users in a different OU. And yes - you can apply GPO to an OU. But the first thing you should check is your account policy. You should also be looking at the authentication. Something's gotta be failing somewhere for the accounts to lockout. I'm thinking it could be a kerberos issue.
What's the better way to test this? Create test users and put into test OU or need test Security Groups? I think OU is easier to put test users there/ Not sure if possible to link that policy into that OU.
*************
Easier to test by isolating the external users and putting the "external test" users in a different OU. And yes - you can apply GPO to an OU. But the first thing you should check is your account policy. You should also be looking at the authentication. Something's gotta be failing somewhere for the accounts to lockout. I'm thinking it could be a kerberos issue.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Correct. This is what I understand. The account lockout policy cannot be applied to a separate OU. However, even after testing successfully on test Domain I don't feel comfortable enabling on Production Domain.
I am thinking implementing granularity by Security Group. Users in the Security Group will be enabled. Does that sound good?
I am thinking implementing granularity by Security Group. Users in the Security Group will be enabled. Does that sound good?
If that's the case, I am waiting for the solution..!!
Interesting..!!
Interesting..!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is what I am thinking about. Run the script every hour that would put those users in the group.
Was there any change happened in your environment?
Was this working before? Or is the first time you are testing it?
What happens if the test account gets a domain admin privilege and then test it with enabled linked policy?
You can also use Account Lockout Status tool and keep this handy. Choose the domain and the name of the user to see the status of the user's account.
If this falls again then go ahead and check with the application vendor. I am not sure which application and how the users are logging in.
Let me know if anything else is required.
Good Luck..!!
~SG~