Account Lockout...

[Ketta]

I have domain, local, domain controller policies all set to lockout an
account after 3 invalid logon attempts. None of our users are logging into
the domain, only through Outlook for Exchange. When they enter the wrong
password more than 3 times the account is not locked, does anyone know why
this is? Every workstation is using a local account and operates completely
independant of the domain.

Thank you,
Mike Stiers

 

[Diana Smith [MSFT]]

Hello Ketta,

Please take a look at the following article:

Unexpected Account Lockouts Caused When Logging On to Outlook from an
Untrusted Domain -->
http://support.microsoft.com/default.aspx?scid=KB;EN-US;276541

Microsoft's recommendation is to set the account lockout to 10:

" Bad Password Threshold is set too low: This is one of the most common
misconfiguration issues. Many companies set the Bad Password Threshold
registry value to a value lower than the default value of 10. If you set
this value too low, false lockouts occur when programs automatically retry
invalid passwords. Microsoft recommends that you leave this value at its
default value of 10. For more information, see "Choosing Account Lockout
Settings for Your Deployment" in this document.

This information was obtained from "Account Lockout Best Practices" --->
http://www.microsoft.com/downloads/details.aspx?familyid=8c8e0d90-a13b-4977-
a4fc-3e2b67e3748e&displaylang=en

Thank You

Diana.


This posting is provided "AS IS" with no warranties, and confers no rights.


(e-mail address removed)

--------------------
| From: "Ketta" <[email protected]>
| Subject: Account Lockout...
| Date: Mon, 8 Nov 2004 09:54:42 -0500
| Lines: 11
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: d57-1-27.home.cgocable.net 24.57.1.27
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10
..phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.security:33832
| X-Tomcat-NG: microsoft.public.win2000.security
|
| I have domain, local, domain controller policies all set to lockout an
| account after 3 invalid logon attempts. None of our users are logging
into
| the domain, only through Outlook for Exchange. When they enter the wrong
| password more than 3 times the account is not locked, does anyone know
why
| this is? Every workstation is using a local account and operates
completely
| independant of the domain.
|
| Thank you,
| Mike Stiers
|
|
|


This posting is provided "AS IS" with no warranties, and confers no rights.


(e-mail address removed)

 

[Lanwench [MVP - Exchange]]

I have domain, local, domain controller policies all set to lockout an
account after 3 invalid logon attempts. None of our users are
logging into the domain, only through Outlook for Exchange. When
they enter the wrong password more than 3 times the account is not
locked, does anyone know why this is? Every workstation is using a
local account and operates completely independant of the domain.

Thank you,
Mike Stiers

Well, if they're using local accounts, this makes perfect sense. Why are
they using local accounts anyway? This is not a good practice - what's the
client OS? If they're using XP Home, upgrade them to XP Pro. XP Home doesn't
belong on a domain.

For the domain accounts, don't set lockout. It's more trouble than it's
worth - just make sure you force regular pw changes & enable complex
passwords.