Unable to see account lockout policy in GPMC

Hi,
     I need to verify the settings and winning GPO for the domain account lockout policy. If I run group policy modelling or gpresult, I can get all other computer settings but NOT account lockout policy. here's what I've tried:

1) tested on PDC emulator (i.e. on two DCs and got the same result. One is 2003 R2 and one 2008 R2)
2) ran gpmc explicitly as administrator
3) tried scoping group policy modelling to both the entire domain and the computers container

I've probably tried other things, but it's been a long day :)

I can get the settings from net accounts /domain but I need to prove where the originated (I can do this by manually going through GPMC but I would like to see the results displayed in a report)

The settings ARE being applied, so this is purely a reporting issue of some kind

Forest functional level is 2003

hope someone can help!
LVL 1
hannibalsmithAsked:
Who is Participating?
 
McKnifeCommented:
Where do you run gpresult?
Do a
gpresult /h %temp%\result1.html
on your DC and then open %temp%\result1.html
0
 
DonNetwork AdministratorCommented:
Why haven't you ran rsop.msc ??

You should be able to drill right down to it with rsop
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
Will SzymkowskiSenior Solution ArchitectCommented:
The "Default Domain Policy" holds the Account Lock policy. Have you treid gpresult /R >> c:\output.txt

Will.
0
 
hannibalsmithAuthor Commented:
Hi, thank for the answers.

1)@dstewartjr RSOP.msc has known issues. It's not a tool I find reliable. I think it might be deprecated? That said, i'll try anything so thank you for your suggestion. I tried it and didn't get the results I need.
2) @Will in this case, it's not the default domain policy. That does have a lockout value threshold but it's not the one which is enforced. The enforced settings are coming from another policy. I can see the settings but I want to generate a report
3) @mcknife, thanks for the suggestion. tried that but still not getting them.

any other ideas?
0
 
DonNetwork AdministratorCommented:
RSOP.msc has known issues. It's not a tool I find reliable. I think it might be deprecated?


Waaaaaa????

I'm running it on Windows 10 with no issues.

 
I tried it and didn't get the results I need.

Isnt this all you were looking for ???
rsop
0
 
hannibalsmithAuthor Commented:
hi there,
               yes, that's what i''m looking for but it's not working on my DCs...

RSOP has known issues. I didn't say it never worked :)

when I run RSOP, I get 'not defined' where you see the values in your RSOP output.
0
 
hannibalsmithAuthor Commented:
do you get the same result when you run it as domain admin on your DC?
what about in group policy modelling?
0
 
DonNetwork AdministratorCommented:
do you get the same result when you run it as domain admin on your DC?

Yup, same result

"group policy modelling?"

Honestly dont use that tool
0
 
hannibalsmithAuthor Commented:
so, here's the output I get when i'm logged onto a system which has the GPO containing the account lockout settings applied to it. I've also tried on the FSMO holder and got the same result.
0
 
hannibalsmithAuthor Commented:
account-lockout-policy.PNG
0
 
hannibalsmithAuthor Commented:
it's a strange one. I can see that you're right but it's just not working for me. that's why i'm here. if it was easy, I wouldn't be :-D
0
 
hannibalsmithAuthor Commented:
thanks, I've already reviewed that one but ill give you the points for your assistance. i'm sure we'll work together again at some point!

there's some nutty filtering going on which is not visible from the GPMC. I'm dealing with a lot of environments and this one has a mix of all sorts of OS levels.  thanks for the help!
0
 
hannibalsmithAuthor Commented:
Dstewartjr offered a lot of help on this case
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
@Will in this case, it's not the default domain policy.
That is exactly why it is not working then. Any password policy related settings NEED to be in the Default Domain Policy as i have stated already.

The only exception is when you are using PSO/Fine Grained Password Policies and you are applying them to a specific group or OU. To do this you need to have a FFL and DFL of 2008 or higher.  

Any other situation it will not work. Has to be on the Default Domain Policy.

yes, that's what i''m looking for but it's not working on my DCs...
This will not work because it is not set in the correct place.

Will.
0
 
McKnifeCommented:
I wouldn't close it yet. There cannot be some "nutty filtering" going on - or did you indeed filter the default domain policy not to apply to your DCs?
0
 
DonNetwork AdministratorCommented:
Or was "Authenticated Users" removed ???
0
 
hannibalsmithAuthor Commented:
nope, authenticated users was in there.

I didn't filter the DCs out. I'm not sure what happened actually. I didn't set this site up. it's one of about 130 that I manage so i'll need to hunt around to be honest.

I'm going to look into it and if I find something i'll post so other people reading this know what happened.

really appreciate the help, guys!
0
 
hannibalsmithAuthor Commented:
@will
'That is exactly why it is not working then. Any password policy related settings NEED to be in the Default Domain Policy as i have stated already.'

sorry, just saw this now. I'm sure it's best practice, but the lockout policy which IS working on this domain is not set at the default domain policy. It's set at another policy. Do you have any documentation that states that domain lockout policy MUST be set at the default domain policy level?
0
 
McKnifeCommented:
While at work, I had an idea. now at home, virtual test domain started, I could verify it. I guess you will find it most interesting. The following picture shows, that the command
net accounts /domain
when executed at the DC does not reflect the same as RSOP.msc and I guess that's what you have.
The cause is that the def dom pol is left unconfigured while the local policy secpol.msc (see top) IS configured.
Screenshot_win10server
0
 
hannibalsmithAuthor Commented:
that's very interesting. thank you, mcknife.
I've actually recreated the GPO from scratch and just copied the existing settings. It now works correctly so I suppose we were looking a policy corruption or maybe an attribute which wasn't quite right in adsiedit.

thanks for the info above, though. if I had more points to allocate, you'd certainly get them. I hadn't considered the interplay between default domain and local security. In my case, default domain did have values configured but the values received by clients were coming from another policy with those values configured as well.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.