Account Lockout Threshold Not Working

G

-=gu=-

Hi,
On my DC, in Domain Security Policy... In Windows
Settings, Security Settings, Account Policies, the
Account Lockout Threshold is set for 5 invalid attempts.
I set this myself about a year ago but never tested it.
Just found out from a user and proved it myself that the
lockout occurs at 3 bad attempts. Am I setting this in
the wrong place? Any help / much appreciated!
Thanks! -=gu=-
 
S

Steven L Umbach

Domain level is where that policy needs to be configured. You can run "net accounts"
on a domain controller to see what the threshold is. What may have happened is that
the operating system often interprets one bad logon attempt by the user as multiple
logon failures. That is one reason why MS recommends 10 as the lockout threshold
assuming users need to use reasonably secure passwords. The links below may be
helpful. --- Steve

http://www.microsoft.com/downloads/...90-a13b-4977-a4fc-3e2b67e3748e&displaylang=en
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Account Lockout Threshold 2
Reset account lockout counter after 2
Account Lockout not being applied 3
Account lockout duration=30 minutes, however account remains locked indefinitely. 5
AD accounts not being unlocked when "lockout duration" setting rea 5
Group policy, Item Account lockout duration 1
Unable To Change Account Lockout Policy in AD 1
Account Lockout Problems 1

Top