Fine Grained Password Policy -- Account Lockout not working?
Fine Grained Password Policy -- is not locking out failed login attempts.
These are the setting. My understanding, not setting -- is like infinite duration and infinite observation? Policy applied to Group -- which contains user. Other policy settings work -- such as length, and complexity. The resultant policy command shows it is applied. It never locks the account? Why?
msDS-lockout duration : None
msDS-LockoutObservation: None
msDS-LockThreshold: 4
These are the setting. My understanding, not setting -- is like infinite duration and infinite observation? Policy applied to Group -- which contains user. Other policy settings work -- such as length, and complexity. The resultant policy command shows it is applied. It never locks the account? Why?
msDS-lockout duration : None
msDS-LockoutObservation: None
msDS-LockThreshold: 4
ASKER
Setting are mandated by Security officer -- should I not be able to leave unset -- and then not reset lockout counter reset -- and no automatic unlock -- these are required settings.
OK
Put both settings to "(never)" without quotes and it will work
Put both settings to "(never)" without quotes and it will work
ASKER
Change None to Never -- it defaults to None?
No, "never" will lock account permanently until administrator unlock it which is your requirement
"None" will never lock account as far as I know
"None" will never lock account as far as I know
ASKER
The Threshold is '4' -- so it locks after 4 fails - right? The lockout Observation and Duration are None -- not set -- which should mean they never reset -- count goes forever and Admin has to unlock -- which is what I want?
That's correct
Only set other two options to (never)
It should be within brackets as shown above and then it will lock until administrator unlock account
Only set other two options to (never)
It should be within brackets as shown above and then it will lock until administrator unlock account
ASKER
Are you sure it is not supposed to be None? I can't find setting it to Never in documentation? Do you have a reference? Default was None -- essentially not set ...?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would put a reasonable value, like 15min for msDS-LockoutObservation. msDS-LockoutObservation and msDS-LockThreshold work together to determine when to lockout an account.
PS: msDS-LockThreshold of 4 is very low in my opinion
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
PS: msDS-LockThreshold of 4 is very low in my opinion
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
Answered
put some value to both parameters and check, it will work