Unable To Change Account Lockout Policy in AD

G

Guest

Recently I set an Account Lockout Policy at the root level in Active directory in the Default Domain Policy with the following settings
* Account Lockout Threshold 5 Failed Attempt
* Account Lockout Duration 30 Minute
*Reset Account Lockout After 30 Minute
After I made the settings I had several User and system accounts locked out. After unlocking the accounts I have not had any further issues with the system accounts, but continued to have issues with user accounts
I then went back into the Default Domain Policy and reset all the values to Not Defined, replicated the changes and refreshed the policy on all domain controllers, however this did not seem to change the account lockout policy
At the command prompt I entered: net accounts and the values were still 5, 30 and 30
Am I doing something wrong? Why are the new values not taking in AD?
Any help with this issue would be greatly appreciated.
 
P

Paul Adare

microsoft.public.win2000.security news group, =?Utf-8?B?
UnVzdHkgQmVycnk=?= said:
Recently I set an Account Lockout Policy at the root level in Active directory in the Default Domain Policy with the following settings:
* Account Lockout Threshold 5 Failed Attempts
* Account Lockout Duration 30 Minutes
*Reset Account Lockout After 30 Minutes
After I made the settings I had several User and system accounts locked out. After unlocking the accounts I have not had any further issues with the system accounts, but continued to have issues with user accounts.
I then went back into the Default Domain Policy and reset all the values to Not Defined, replicated the changes and refreshed the policy on all domain controllers, however this did not seem to change the account lockout policy.
At the command prompt I entered: net accounts and the values were still 5, 30 and 30.
Am I doing something wrong? Why are the new values not taking in AD?
Any help with this issue would be greatly appreciated.
Click to expand...

You need to read up on how Group Policy works at a very basic level
(there are some great white papers on the MS web site).

Not configured means exactly what it says. What you've done is used GP
to apply the lockout settings you wanted, and then, by changing it Not
Configured, you've effectively said, "This GPO will not determine what
these settings are. Whatever the current settings are, they'll stand".

You need to configure the settings to exactly what you require now.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Reset account lockout counter after 2
AD accounts not being unlocked when "lockout duration" setting rea 5
Account lockout duration=30 minutes, however account remains locked indefinitely. 5
Group policy, Item Account lockout duration 1
Account Lockout policy problem 1
Account Lockout Threshold 2
Account Lockout not being applied 3
Default Domain Policy 5

Top