Solved

AD Account Lockout Time

Posted on 2014-10-16
10
268 Views
Last Modified: 2014-11-17
Please see the two user’s sets of properties from our AD on mail.scyap.com. Look at the lockoutTime setting. On some user’s this is set to 0. If it is set to 0 it appears that it requires IT to manually unlock their account. This should not be the case. Our lockout policy is set to unlock their account after 20 minutes. I’m not sure why some say 0 and others say “not set”. How do we prevent this from happening? Also, the users with the 0 are seemingly sometimes just getting locked out for no reason and we have to manually unlock their accounts.

Thanks for any help.
ADLockout.docx
0
Comment
Question by:manndo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 10

Assisted Solution

by:Senthil Kumar
Senthil Kumar earned 200 total points
ID: 40384933
Hi

Check your Group Policy for Account Lockout settings. Refer below link

http://www.selfadsi.org/extended-ad/user-unlock.htm
0
 

Author Comment

by:manndo
ID: 40384948
I have checked the policy. Actually, we just implemented it. The policy is set and working for all the users that have the attribute set to <not set> in their individual user settings, but it does not work for those set to 0. On those, every time they type in wrong - even once, it locks them out and we have to manually unlock it. My problem is, I do not know why some users have the 0 and I do not know how to change it......or at least I think that is my problem. :)
0
 
LVL 10

Assisted Solution

by:Senthil Kumar
Senthil Kumar earned 200 total points
ID: 40384984
Hi
May be the group policy is not enforced in these workstations. Can you run gpupdate /force from command line and check the lockout settings?
0
Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

 
LVL 3

Assisted Solution

by:Glingo
Glingo earned 200 total points
ID: 40385138
Also after running  the gpupdate /force you can run a gpresult /r to check if your GPO applied properly and if not it will help you to troubleshot the issue
0
 

Author Comment

by:manndo
ID: 40385258
It says it was not applied. Reason is "Filtering: Not applied <Empty>". Not sure what that means.
0
 
LVL 3

Assisted Solution

by:Glingo
Glingo earned 200 total points
ID: 40385511
Did you open CMD as administrator?

Are the clients all running the same OS?

Are the problematic users in the same OU as the others?
0
 
LVL 13

Assisted Solution

by:Natty Greg
Natty Greg earned 100 total points
ID: 40386004
global group is different from OU policy, so if the computer and user not in the OU, it will not work, but if the policy was set globally, everyone has to adhere to it.
0
 

Author Comment

by:manndo
ID: 40386393
I was logged in as administrator to server.  I opened command prompt,  but didn't specifically open cmd prompt as administrator,  all users are in same ou,  all computers are in groups within the ou,  all users are running Windows  7.
0
 

Accepted Solution

by:
manndo earned 0 total points
ID: 40386394
It is the Default global policy.
0
 

Author Closing Comment

by:manndo
ID: 40446833
Sorry, but none of the solutions worked for my issue. However, I did learn some things, so I am splitting the points.
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Here's a look at newsworthy articles and community happenings during the last month.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question