Account lockout threshold remember/goes back to the old value?

  • Thread starter Oskarsson Mikael
  • Start date
O

Oskarsson Mikael

Hi

My customer have migrated from NT4 to W2K.
They have a dual trust between the 2 domains.

For some month ago the customer changed the value "Account lockout
threshold" from default (0?) to 5.
After that many account was locked , so the customer changed it to 20 and
many less lockout accounts occur.
After some weeks the amount of locked account increased again , and we find
the value was 5 again but no person has changed it.
So we changed it again to 20.
We run net account and it showes 20.
But if we write the password wrong 5 times it lockes the account.
We have a utility (lockout someting) from MS that can check "bad password".
If I create a new account and try to start an applikation (Exchange System
Manager) with "run as" with the new account it is locked after five times.
(I check it with the utility after each time, is goes 1,2,3,4,5 and locked).
So we changed it 50.
We run net account and it showes 50.
But still accounts lockout after 5 bad password.

It seem like AD has stuck at the number of 5 as value in "Account lockout
threshold".

That to do?

Regards Mikael
 
D

diasmith [MSFT]

Hello,

This does sound strange, here are some things to verify:

1. Please verify if there are any "block inheritance" on any policy below
the default domain policy?

2. What is the "account lockout observation window" set to? If it is set
to low, this would make it so that the account lockout count was reset
quickly before user
had a change to make enough bad password attempts to lockout.

3. Make sure the policy is set up correctly --> Verify the "Account
lockout threshold" policy using the following steps:

In the Default Domain policy, do the following:
======================================================
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Account Lockout Policy\
Ensure that "Account lockout duration" is set to "Not defined"
Ensure the "Account lockout threshold" is set to "Defined".
Ensure that "Account lockout threshold" is set to "the number that you
want' invalid logon attempts"
Ensure that "Reset account lockout counter after" is set to "Not defined"
Force replication between the DC's or Wait about 15 minutes and the retest.

Thank You.

Diana.


(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
O

Oskarsson Mikael

Hi I at work now and testing

See my answers down

-----Ursprungligt meddelande-----

Från: MO-Konsult [mailto:[email protected]]

Skickat: den 5 november 2003 21:02

Till: Oskarsson Mikael

Ämne: Fw: Account lockout threshold remember/goes back to the old value?





"diasmith [MSFT]" <[email protected]> skrev i meddelandet
Hello,

This does sound strange, here are some things to verify:

1. Please verify if there are any "block inheritance" on any policy

the default domain policy?
Click to expand...

MIKAEL: Thats OK
2. What is the "account lockout observation window" set to? If it is

to low, this would make it so that the account lockout count was reset
Click to expand...
quickly before user
Click to expand...
had a change to make enough bad password attempts to lockout.
Click to expand...

MIKAEL: Where can I check that????????
3. Make sure the policy is set up correctly --> Verify the "Account
Click to expand...
lockout threshold" policy using the following steps:

In the Default Domain policy, do the following:

Computer Configuration\Windows Settings\Security Settings\Account
Click to expand...
Policies\Account Lockout Policy\
Click to expand...
Ensure that "Account lockout duration" is set to "Not defined"
Click to expand...

MIKAEL Cant be done it will set all 3 to not defined!!!!!!!!
Ensure the "Account lockout threshold" is set to "Defined". Ensure
Click to expand...
that "Account lockout threshold" is set to "the number that you want'
Click to expand...
invalid logon attempts"
Click to expand...

MIKAEL: I set it to 50
Ensure that "Reset account lockout counter after" is set to "Not
Click to expand...
defined"
Click to expand...

MIKAEL Cant be done it will set all 3 to not defined!!!!!!!!
 
D

Diana Smith [MSFT]

Hello,

1. Where did you set the value at?

-- the domain security policy

-- domain controller policy


2. Are group policies being applied correctly?

-- you can verify by checking for a "event id 1704" in the application
log.

3. You have verified that the Domain Controller OU does not have block
policy inheritance set.

4. After a user has logged on, run "gpresults /s" to check to see what
policies are being applied and from where the policy is coming from.
321709 HOW TO: Use the Group Policy Results Tool in Windows 2000
http://support.microsoft.com/?id=321709


Other Info
========
Net account is the nt4.0 way of looking at this, the best way for you to
see the effective settings is to go to the Local Security Policy and view
the settings from there.

If the value is not being reset to a different value, you may have a
replication issue.

Thank You.

Diana.

(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Account Lockout Problems 1
Question on Account Lockout - Urgent 2
Group policy, Item Account lockout duration 1
all accounts locked out !!! 4
Account Lockout 1
Account lockout not happening 1
Account Lockout Threshold 2
Account lockout fails 1

Top