Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Account lockout policy issue

Posted on 2013-05-21
8
Medium Priority
?
468 Views
Last Modified: 2013-06-07
I am having a software conflict with Active Directory lockout policy.  External users are login through the web site.  If the account policy enabled their accounts get locked out. Something weird how software reacts on that.  However, the issue is inconsistent.
What's the better way to test this?  Create test users and put into test OU or need test Security Groups? I think OU is easier to put test users there/ Not sure if possible to link that policy into that OU.
Please advise.
Thank you!
0
Comment
Question by:Tiras25
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 8

Expert Comment

by:Sushant Gulati
ID: 39186730
You know the answer. Create a test OU, link that particular policy, add the user in that OU and test it and see what difference you will see.

Was there any change happened in your environment?
Was this working before? Or is the first time you are testing it?

What happens if the test account gets a domain admin privilege and then test it with enabled linked policy?

You can also use Account Lockout Status tool and keep this handy. Choose the domain and the name of the user to see the status of the user's account.

If this falls again then go ahead and check with the application vendor. I am not sure which application and how the users are logging in.

Let me know if anything else is required.

Good Luck..!!
~SG~
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 2000 total points
ID: 39187259
No, he does not know the answer :)
The account lockout policy is applied at the DC - not at the user themselves or at the users' computers - no testing possible unless you have a test domain.
0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 39187298
***************
What's the better way to test this?  Create test users and put into test OU or need test Security Groups? I think OU is easier to put test users there/ Not sure if possible to link that policy into that OU.
*************

Easier to test by isolating the external users and putting the "external test" users in a different OU. And yes - you can apply GPO to an OU. But the first thing you should check is your account policy. You should also be looking at the authentication. Something's gotta be failing somewhere for the accounts to lockout. I'm thinking it could be a kerberos issue.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 2000 total points
ID: 39187434
Sorry, but you are also misleading him. The account lockout policy cannot be applied to a test OU but only to the DC's OU because we are talking about domain users whose account info is kept only at the DCs.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39188236
Correct. This is what I understand.  The account lockout policy cannot be applied to a separate OU. However, even after testing successfully on test Domain I don't feel comfortable enabling on Production Domain.  
I am thinking implementing granularity by Security Group. Users in the Security Group will be enabled.  Does that sound good?
0
 
LVL 8

Expert Comment

by:Sushant Gulati
ID: 39188566
If that's the case, I am waiting for the solution..!!

Interesting..!!
0
 
LVL 56

Accepted Solution

by:
McKnife earned 2000 total points
ID: 39188905
Yes, why not. PSOs can apply to groups and will override GPOs.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39189024
This is what I am thinking about.  Run the script every hour that would put those users in the group.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this modest contribution, I want to share with the IT community (especially system administrators, IT Support Engineers and IT Help Desks) about Windows crashes/hangs and how to deal with these particular problems.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question