Solved

AD Account Lockout Time

Posted on 2014-10-16
10
252 Views
Last Modified: 2014-11-17
Please see the two user’s sets of properties from our AD on mail.scyap.com. Look at the lockoutTime setting. On some user’s this is set to 0. If it is set to 0 it appears that it requires IT to manually unlock their account. This should not be the case. Our lockout policy is set to unlock their account after 20 minutes. I’m not sure why some say 0 and others say “not set”. How do we prevent this from happening? Also, the users with the 0 are seemingly sometimes just getting locked out for no reason and we have to manually unlock their accounts.

Thanks for any help.
ADLockout.docx
0
Comment
Question by:manndo
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 10

Assisted Solution

by:Senthil Kumar
Senthil Kumar earned 200 total points
ID: 40384933
Hi

Check your Group Policy for Account Lockout settings. Refer below link

http://www.selfadsi.org/extended-ad/user-unlock.htm
0
 

Author Comment

by:manndo
ID: 40384948
I have checked the policy. Actually, we just implemented it. The policy is set and working for all the users that have the attribute set to <not set> in their individual user settings, but it does not work for those set to 0. On those, every time they type in wrong - even once, it locks them out and we have to manually unlock it. My problem is, I do not know why some users have the 0 and I do not know how to change it......or at least I think that is my problem. :)
0
 
LVL 10

Assisted Solution

by:Senthil Kumar
Senthil Kumar earned 200 total points
ID: 40384984
Hi
May be the group policy is not enforced in these workstations. Can you run gpupdate /force from command line and check the lockout settings?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 3

Assisted Solution

by:Glingo
Glingo earned 200 total points
ID: 40385138
Also after running  the gpupdate /force you can run a gpresult /r to check if your GPO applied properly and if not it will help you to troubleshot the issue
0
 

Author Comment

by:manndo
ID: 40385258
It says it was not applied. Reason is "Filtering: Not applied <Empty>". Not sure what that means.
0
 
LVL 3

Assisted Solution

by:Glingo
Glingo earned 200 total points
ID: 40385511
Did you open CMD as administrator?

Are the clients all running the same OS?

Are the problematic users in the same OU as the others?
0
 
LVL 10

Assisted Solution

by:Natty Greg
Natty Greg earned 100 total points
ID: 40386004
global group is different from OU policy, so if the computer and user not in the OU, it will not work, but if the policy was set globally, everyone has to adhere to it.
0
 

Author Comment

by:manndo
ID: 40386393
I was logged in as administrator to server.  I opened command prompt,  but didn't specifically open cmd prompt as administrator,  all users are in same ou,  all computers are in groups within the ou,  all users are running Windows  7.
0
 

Accepted Solution

by:
manndo earned 0 total points
ID: 40386394
It is the Default global policy.
0
 

Author Closing Comment

by:manndo
ID: 40446833
Sorry, but none of the solutions worked for my issue. However, I did learn some things, so I am splitting the points.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question