troubleshooting Question

Windows Account Lockout Policy, not taking effect

Avatar of ctna
ctnaFlag for United States of America asked on
Windows OS
2 Comments1 Solution18 ViewsLast Modified:
Windows Account Lockout Policy, 2 problems.

A previous admin configured a policy to lock after 4 failed attempts and auto-unlock after 15 minutes. This drives us crazy because by the time the end-user calls us, the account has unlocked. Wasted their time, wasted our time. I want to remove auto-unlock and require an admin to unlock.

Default Domain Policy is blocked from inheritance on Computer OU's. Each computer OU has its own policy. I have modified all policies to reflect 10 failed attempts, 1440 minutes for the duration (had it set to 0, wasn't working so I thought I'd try the 1440), reset counter after 15 minutes (and I reviewed every policy in each OU to make sure there isn't a duplicate entry).

I did this on the default domain policy and all specific OU's.

I ran RSOP, and it reported what I expected to see (the policy I defined).
I have forced GP update.
I checked Local Securiy Policy, shows exactly what it should.
Accounts lockout after 4 failed attempts and they are still auto-unlocking.

Check event logs to try and determine the source, and it only shows events where an admin has unlocked an account.
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 2 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros