AD accounts not being unlocked when "lockout duration" setting rea

[Guest]

Our default domain account lockout policy is set like this:

Lockout Threshold - 4 attempts
Lockout Duration - 15 minutes
Reset Counter After - 5 minutes

User accounts are being locked out correctly when the threshold is met, but
they are NOT being unlocked when the lockout duration period is reached.
Once locked out, user accounts are staying locked out until they are manually
unlocked.

Nothing obvious in the event logs. Any ideas?

Thanks,
Paul

 

[Steven L Umbach]

Don't know offhand. When you run the " net accounts " command on the domain
controller does it show 15 minutes for the lockout duration? --- Steve

 

[Guest]

Yes, it all looks good:

C:\>net accounts /domain
The request will be processed at a domain controller for domain <domainName>.

Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 90
Minimum password length: 6
Length of password history maintained: None
Lockout threshold: 4
Lockout duration (minutes): 15
Lockout observation window (minutes): 5
Computer role: BACKUP
The command completed successfully.


It's the strangest thing, but appreciate any help or suggestions anyone has.

Thanks,
Paul

 

[Steven L Umbach]

Did you run this on a Windows 2000 domain controller or a NT4.0 domain
controller? The reason I ask is that the computer role shows as "backup"
which I am not sure if that indicates a NT4.0 BDC or a Windows 2000 domain
controller that is not the PDC fsmo. You might also want to run net accounts
on the pdc fsmo and run the support tool gpotool to see if policy is
replicating correctly. When you run gpotool, you should see all your domain
controllers listed with versions of both AD and sysvol policy. It will
report any problems such as mismatches. --- Steve

 

[Guest]

I had actually run it from my workstation. This is a Win2K domain running in
native mode and I get the same result from the PDC FSMO, which looks good:

C:\Temp>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 90
Minimum password length: 6
Length of password history maintained: None
Lockout threshold: 4
Lockout duration (minutes): 15
Lockout observation window (minutes): 5
Computer role: PRIMARY
The command completed successfully.


GPOTool looks good as well (output is lengthy so I'll spare you that). DS
version, Sysvol version and Functionality version all match and gpotool
reports "Policies OK".

But still user accounts don't unlock unless we manually unlock
them...frustrating. And rare I guess since I haven't had much luck finding
any info on it or others who have had the same or similar problem...

Thanks for the help though,
Paul

 

[Steven L Umbach]

Hmm. I can't think of much else. What I would try is to set the reset
counter time to the same as the lockout duration time which is what the
operating system would suggest when you change the setting. Anytime you
change domain password/lockout policy be sure that block inheritance is not
enabled on the domain controller container as that can prevent changes from
applying. In addition consider raising the lockout threshold to no less than
ten which is what Microsoft recommends. I see you already have minimum
password length of six which may also mean that you have password complexity
enabled. A setting of ten will still effectively deter brute force password
attacks with your password policy and reduce your lockouts. Note that one
failed logon attempt by a user can generate multiple number as far as the
operating system is concerned in some situations. ---- Steve