AD, ADSI & Account Lockout Question

D

darkPeace

Setting the Stage:

I have wrote a asp scripts to create, modify, validate and delete users from
Active Directory. I have setup a child domain (or tree) with a OU (i use
LDAP to create users in this OU). Everything works great, except the
account policy settings for lockout.

I initially attempted to set a unique group policy at the OU level for
lockout attempts, however after reading many articles realized this is not
possible, that only the root domain account policy resides over all group /
OU's. Fine I accept that.

IIS is running on the child DC machine and is running as an administrative
user.


The Problem:

My account policy for lockout attempts is set to '4' on the child domain..
(e.g. child.parent.com) The parent domain lockout policy attempts is set
as disabled (unlimited attempts).

When I authenticate via adsi, my account is locked after 2 attempts. Where
the heck does this come from?? I would expect either 4 or none, but 2?? I
have changed the attempts value several times on the child domain(tree), it
does not seem to matter what I do. Nothing changes.

Your thoughts please.
 
D

darkPeace

When I authenticate via adsi, my account is locked after 2 attempts.
Where
the heck does this come from?? I would expect either 4 or none, but 2?? I
have changed the attempts value several times on the child domain(tree), it
does not seem to matter what I do. Nothing changes.

Your thoughts please.
Click to expand...


Okay, I have some new info on this i have a correction to some of what i
wrote above. Attempts to change the lockout threshold does effect the
behavior. When setting the login threshold to '4', I am locked out after
two invalids. Then I set the threshold to 5, I am locked out after 3:

Setting of

4 = 2 attempts then lockout
5 & 6 = 3 attempts then lockout
7 & 8 = 4 attempts then lockout
8 & 9 = 5 attempts then lockout

I'm sure you can see the pattern here. It would seem that my code is
attempting two login attempts per ASP form submit. However when I add the
'Server\Errors Login' to the performance monitor I am only seeing error per
web-based login attempt.

Please help.. Code below:

'Calling function
verNo = ADSIUserVerify(username,password)

Function ADSIUserVerify(userid,password)
rem 0 = Valid Userid and Password
rem 101 = Invalid userid
rem 102 = Disabled
rem 103 = Locked
rem 104 = Valid UserId Bad Password

On Error Resume Next
Err.Clear
Dim UserName
Dim user
Dim Disabled
Dim Locked
Dim oAuthorized
UserName = "WinNT://" & GetDomain("WINNT") & "/" & userid & ",user"
Set User = GetObject(UserName)
Dim oNamespace

if (Err.number < 0) then
rem Invalid Userid
ADSIUserVerify = 101
Else
Disabled = ADSIIsAccountDisabled(userid)
Locked = ADSIIsAccountLocked(userid)
if (Disabled = True) then
rem Disabled
ADSIUserVerify = 102
else if (Locked = True) then
rem 103 locked
ADSIUserVerify = 103
else
Set oNamespace = GetObject("WinNT:")
Set oAuthorized = oNamespace.OpenDSObject("WinNT://" &
GetDomain("WINNT"), userid,password , 1)
if (Err.number < 0) then
ADSIUserVerify = 104
else
ADSIUserVerify = 0
End if
End if
End if
End if
End Function
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Account Lockout Problems 1
Account lockout not happening 1
Group policy, Item Account lockout duration 1
all accounts locked out !!! 4
Question on Account Lockout - Urgent 2
Help on Account Lockout 5
Problems applying account lockout to VPN logins 4
Account lockout disabled but still locking out. 4

Top