Fine Grained Password Policy -- Account Lockout not working?

Fine Grained Password Policy -- is not locking out failed login attempts.  

These are the setting.  My understanding, not setting -- is like infinite duration and infinite observation?  Policy applied to Group -- which contains user.  Other policy settings work -- such as length, and complexity.  The resultant policy command shows it is applied.  It never locks the account?  Why?

msDS-lockout duration : None
msDS-LockoutObservation: None
msDS-LockThreshold:  4
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

when lockout duration and observation window is set to none, how lockout threshold will lock user account, it never with this config

put some value to both parameters and check, it will work
apsutechteamAuthor Commented:
Setting are mandated by Security officer -- should I not be able to leave unset -- and then not reset lockout counter reset -- and no automatic unlock -- these are required settings.
Put both settings to "(never)" without quotes and it will work
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

apsutechteamAuthor Commented:
Change None to Never -- it defaults to None?
No, "never" will lock account permanently until administrator unlock it which is your requirement
"None" will never lock account as far as I know
apsutechteamAuthor Commented:
The Threshold is '4' -- so it locks after 4 fails - right?  The lockout Observation and Duration are None -- not set -- which should mean they never reset -- count goes forever and Admin has to unlock -- which is what I want?
That's correct

Only set other two options to (never)

It should be within brackets as shown above and then it will lock until administrator unlock account
apsutechteamAuthor Commented:
Are you sure it is  not supposed to be None?  I can't find setting it to Never in documentation? Do you have a reference?  Default was None -- essentially not set ...?
if you have 2012 / 2012 r2 member server, install Active Directory Admin Center and try to configure FGPP there with GUI
There you will find option to configure account lockout until admin unlock it, select that option and forget everything
For cross checking about what I am saying, Then check values of password policy within attribute editor, it will show you as "(Never)"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical SpecialistCommented:
I would put a reasonable value, like 15min for msDS-LockoutObservation. msDS-LockoutObservation and msDS-LockThreshold work together to determine when to lockout an account.

PS: msDS-LockThreshold of 4 is very low in my opinion
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.