Solved

Windows 2008 SBS account lockout policy

Posted on 2016-10-17
4
31 Views
Last Modified: 2016-10-21
I have been trying to disable the local account lockout policy on a Windows SBS 2008 but it still locks account upon bad passwords either by login window or by bad password entered via mobile devices or owa, I have set the feature as not defined and used gpupdate /force, but no luck the accounts still gets locked across the network, can someone help.

Thank you
-jdff
0
Comment
Question by:jdff
  • 2
4 Comments
 
LVL 10

Assisted Solution

by:Maclean
Maclean earned 250 total points
ID: 41847570
You probably have conflicting group policies.
Check which policies are in use when logged in, and go through them all.
Disabling lockout policy is a bad idea however. As IT Admin I would in writing object to the request and list the reasons (Security etc)

There are alternatives to whatever issue there might be.
e.g. self unlock programs, or user education.
1
 
LVL 5

Accepted Solution

by:
Antzs earned 250 total points
ID: 41847759
The lockout policy is a default security policy in Windows Domain.  I don't think there is anyway you can disable it.

You can always set the account options for the particular user account, so that the password cant be changed and the password does not expire.

If the account keeps on locking out, you need to find out the real reason why is this happening.
0
 

Author Comment

by:jdff
ID: 41848223
Maclean, I understand but at this moment I really need to get this feature disabled, this network has not incoming connection so it not a big deal at this point.
0
 
LVL 10

Assisted Solution

by:Maclean
Maclean earned 250 total points
ID: 41849909
I respect whichever way one would want to go of course.
Merely advising of the risk.

Lockout policy is there not to protect only against external attackers, but also against internal misuse.
e.g. Joe Blogs in Payroll leaves computer running overnight, cleaners come in, and find an unlocked payroll PC with intruiging information, so they take the company "to the cleaners".

I have heard of this scenario happen from one of our clients (Happened before I looked after them)So keep things like that in mind is all I am saying. A lot of data theft occurs local onsite. Not external.
Unless the company has nothing of value that could be used to damage their reputation by losing confidential client data, or financial info on the firm itself, I'd always advocate leaving it turned on, and instead locating the source of the lockouts using Netwrix Lockout Examiner or the MS Logs/Tools.. Again though. Its just information I am providing :)

Anyway, back on point. If you want to disable it, check your group policies as suggested.
Go through them and find if there are more policies doing the same thing on the SBS.
There's bound to be a 2nd Policy doing the same thing as the original one you disabled.
Good luck :)
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now