cloudbase
asked on
Dynamic CRM - Locking users
Hi,
One of my customers is running Dynamic CRM 11 and asked me to create a policy that will lock users after several failed login attempts.
I create such policy in Active Directory and assigned it to the specific OU but to my surprise, it is not working.
I was able to access the CRM even after 12 failed attempts.
So, am I missing something?
One of my customers is running Dynamic CRM 11 and asked me to create a policy that will lock users after several failed login attempts.
I create such policy in Active Directory and assigned it to the specific OU but to my surprise, it is not working.
I was able to access the CRM even after 12 failed attempts.
So, am I missing something?
ASKER
This is exactly what I've done.
And I'm assuming you are using an LDAP connection between your CRM and AD?
If so, have you verified your LDAP integration configurations for your CRM?
If so, have you verified your LDAP integration configurations for your CRM?
ASKER
Yes, there is an LDAP connection between the two.
The customer is creating users in the AD and once created they can log in to the CRM.
Everything seems to be working with the LDAP integration, I created another test user in the AD and was able to log in with this account.
The customer is creating users in the AD and once created they can log in to the CRM.
Everything seems to be working with the LDAP integration, I created another test user in the AD and was able to log in with this account.
Have you checked out your lockout policy for your Dynamics users on the database (rather than on the front-end)?
ASKER
hmm...I'm pretty much clueless on CRM.
Can you tell me please how and where to check it?
Can you tell me please how and where to check it?
CRM uses Windows accounts to authenticate users. If a user can log on to a PC with their Windows account then they can get into CRM.
If the Windows account for a user is locked out then the user won't be able to log on to a PC and therefore can't get to CRM.
So, I don't see how your locked users are getting to CRM. Perhaps they are logging in under another user account to the PC and then accessing CRM via another account.
If the Windows account for a user is locked out then the user won't be able to log on to a PC and therefore can't get to CRM.
So, I don't see how your locked users are getting to CRM. Perhaps they are logging in under another user account to the PC and then accessing CRM via another account.
Did you try logging in with your test account with incorrect credentials (proper username, wrong password) and see if you are locked out based on your lock out policy?
ASKER
The users are located under specific OU for the CRM.
they cannot log in to any workstation, only the the CRM app.
The policy is restricted to 5 attempts, I have tried 20 attempts with wrong password and wasn't locked out.
they cannot log in to any workstation, only the the CRM app.
The policy is restricted to 5 attempts, I have tried 20 attempts with wrong password and wasn't locked out.
In AD, did you set this lock-out config on your Default Domain Policy?
Trying to get an idea of how your Group Policy Object is set up (pointing to the OU that you referred to above?).
ASKER
OK, let me clarify:
in Users and Computers, there is an OU "CRM Users", those users are restricted only to CRM App.
In Group Policy, I have created new lockout policy, linked it to new OU and in the security filtering I added all the users that belong to "CRM Users" OU.
in Users and Computers, there is an OU "CRM Users", those users are restricted only to CRM App.
In Group Policy, I have created new lockout policy, linked it to new OU and in the security filtering I added all the users that belong to "CRM Users" OU.
How about creating a new group policy from scratch and link it to the "CRM Users" OU?
http://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx
When you set up this policy, were you logged in as the Domain Administrator?
I'm thinking something is going haywire with your current Group Policy pointing to your OU.
http://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx
When you set up this policy, were you logged in as the Domain Administrator?
I'm thinking something is going haywire with your current Group Policy pointing to your OU.
ASKER
This policy is brand new and from scratch.
I was logged as domain admin.
I was logged as domain admin.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I missed it.
There was another GPO that caused this GPO not to apply.
Everything is working now - thank you
There was another GPO that caused this GPO not to apply.
Everything is working now - thank you
I may be missing something here but if users can't logon onto a workstation how are they getting to CRM?
ASKER
They aren't assigned any remote desktop roles.
It is only for the CRM application
It is only for the CRM application
Great! I know how frustrating that can be.
It may be worth a check to verify your lockout config in AD.
http://www.windows-active-directory.com/account-lockout-policy-active-directory.html