Unable to change Windows 2000 Account Lockout Policy

[Wouter]

I (or in fact, a customer of me) have a Windows 2000 Active Directory
domain divided into multiple sites. In this domain, there is a Default
Domain Security Policy active with an Account Lockout Policy. All
servers are Windows 2000 Server SP4.

This policy is set to an Account Lockout treshold of 5. This means
that an account will be locked out after 5 consecutive wrong
passwords. After 30 minutes, it will be unlocked or if you do this
manually of course. The problem is, that I can't change this Lockout
treshold of 5. As far as I know, the only place I have to change this
is in the Default Domain Security Policy so I changed the Lockout
treshold to 999 but no effect. Can wait until Christmas (even after
commands like 'secedit /refreshpolicy machine_policy /enforce' but
somehow, it won't change.

When I check it with the command 'net accounts', I get the following
info. As you can see, the lockout treshold is 5, although I configured
it to 999.

Screenshot: http://www.jw-racing.nl/public/lockout.jpg

After that, I ran gpresult.exe and got the following info:


===============================================================
The computer received "Registry" settings from these GPOs:

Local Group Policy

===============================================================
The computer received "Security" settings from these GPOs:

Local Group Policy
Default Domain Controllers Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

Local Group Policy


I also checked (with gpedit.msc) the Local Group Policy and the
Default Domain Controllers Policy but they all aren't configured with
a Lockout Policy.

Then, I found this Knowledgebase article from Microsoft:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236

It says that this behaviour is either caused by Block Policy
Inheritance being enabled or if the password policy is not set in the
Default Domain policy. This however, is in both cases not the problem.
I don't have this Block Policy Inheritance option enabled and the
password policy IS set in my Default Domain Policy.

I'm clueless, who can help me out? Whatever I try, the account lockout
policy won't change.

Thanks a lot! If you need more info, do not hesistate to ask.

Regards,

Wouter Jorritsma
The Netherlands

 

[Steven L Umbach]

According to your gpresult your domain controller is not receiving domain policy for
some reason. One reason is that block inheritance is enabled on the domain controller
container which I would double check by using AD User and Computers, selecting the
domain controller container, and then going to properties/Group Policy and verifying
that "block policy inheritance" is unchecked. Otherwise your default GPO for the
domain has become corrupt, has filtering permissions applied to it [which gpresult
would normally show], or has become unlinked from the domain container. I would first
verify that the default domain GPO is linked to the domain container. Another thing
to try is to add a new GPO to the domain container, place it at the top of the list,
and define account policy for it to match what you want. You could then run a secedit
/refreshpolicy machine_policy /enforce on it and then a few minutes later check your
results with net accounts and gpresult again. If none of that helps run netdiag and
then dcdiag on the domain controller looking for any pertinent failed
tests/errors/warnings and look in Event Viewer for any errors that may give you a
clue. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;301423 --- how to install
netdiag and dcdiag.