Re: Account Lockout threshold
From: ikbea (ikbea_at_discussions.microsoft.com)
Date: 06/14/05
- Next message: Adepenguin: "Re: Remote Desktop Connection"
- Previous message: Mike: "Re: Expiring AntiSpyware"
- In reply to: Roger Abell [MVP]: "Re: Account Lockout threshold"
- Next in thread: Roger Abell [MVP]: "Re: Account Lockout threshold"
- Reply: Roger Abell [MVP]: "Re: Account Lockout threshold"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 14 Jun 2005 00:02:01 -0700
The domain has three domain controllers:
- i.e.. one is primary domain controller (PDC) and the other two are backup
domain controllers (BDC1 & BDC2) .
- All are window 2000 advanced servers with Service pack 3, as they are used
in production environment, it takes time to plan for upgrading to Service
pack 4.
There are seversal members servers:
- windows 2000 advanced servers with Service pack 3.
- Two of these member servers called MServer1 and MServer2
Domain Security Policy - Account lockout threshold
================================
effective
PDC Not defined
BDC1 Not defined
BDC2 Not defined
Domain Contoller Security Policy - Account lockout threshold
======================================
effective
PDC Not defined
BDC1 Not defined
BDC2 Not defined
Local Security Policy - Account lockout threshold
================================
local effective
PDC 0 invalid logon attempts Not defined
(WHY is not as same
as local ??)
BDC1 0 invalid logon attempts 0 invalid logon attempts
BDC2 0 invalid logon attempts 0 invalid logon attempts
MServer1 5 invalid logon attempts 5 invalid logon attempts
MServer2 5 invalid logon attempts 0 invalid logon attempts
(WHY is not as
same as local ??)
As the domain level policy is not defined, I assumed the "effective
settings" should be same as "local settings" in "Local security policy" (i.e.
domain level policy will not override local policy). However, this is not
true for the server PDC and MServer2, why and how to correct ?
Moreover, event log showed some strange entries, I don't know it's related
or not
1. In security log - MServer2 and PDC
the following log showed when new local security settings is applied (e.g.
run secedit to refresh)
Catagory: Account Management
Event ID: 643
Domain Policy Changed: Password Policy modified
However, No "Domain policy changed: Lockout policy modified" is showed in
security log
2. In PDC, file replication log,
Source: NTFrs
Type: Error
Event ID: 13568
The File Replication Service has detected that the replica set "DOMAIN
SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR
Thanks again !
"Roger Abell [MVP]" wrote:
> I thought you indicated W2k at Sp3 (you really, really, really need to
> get Sp4 on those machines !!) so I have no idea what you are saying
> about PDC and 2 BDCs ?
>
> That effective is showing as 0 on MServer2 and local as 5 indicates
> that there is a GPO with this settings in use that is being applied to
> MServer2. I would look at the OU level for a GPO that has MServer2
> in its scope of management.
>
> The way to do this, if you intend to make the setting as you are statings
> for member server login with member server local accounts (not domaini
> accounts) is to set the policy values in a GPO that is linked at the OU
> level to a containing OU of the members.
>
> If you are after affecting these behaviors for domain accounts when used
> on the members, this can only be done in manner that affects all machines
> in entire domain when a domain account logs in to them.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server: Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "ikbea" <ikbea@discussions.microsoft.com> wrote in message
> news:3129AE99-0262-4772-A4D3-650857D06E74@microsoft.com...
> > For further information
> > In All DCs, the
> > "Domain Controoler Security Policy", "Domain Security Policy"
> > local setting = not defined
> > effective setting = not defined
> >
> > In PDC, "local policy" --> account lockout threshold
> > local setting = 0 invalid logon attempts
> > effective setting = not defined (WHY ??)
> >
> > In two BDC, local policy --> account lockout threshold
> > local setting = 0 invalid logon attempts
> > effective setting = 0 invalid logon attempts
> >
> > Thanks
> >
> >
> > "ikbea" wrote:
> >
> >>
> >> Three domain controller: one primary and two backup
> >> Member servers (joined same DC) : MServer1, MServer2
> >> All are windows 2000 SP3 servers
> >>
> >> I want to set account policy in MServer1 and MServer2:
> >> Account Lockout duration: Not defined (original) --> 30minutes (new)
> >> Account Lockout threshold: 0 (original) --> 5 (new) invalid logon
> >> attempts
> >> Reset account lockout counter after: Not defined (original) --> 30minutes
> >> (new)
> >>
> >> In MServer, all settings were changed as I expected.
> >> However, for MServer2, in "local policy settings --> account lockout
> >> threshold", the local setting = 5, the effective setting = 0.
> >>
> >> In DC, the
> >> "Domain Controoler Security Policy", "Domain Security Policy" and "Local
> >> Security Policy", the effective setting = not defined
> >>
> >> I tried to change MServer2 account lockout threshold to 5 in "Local
> >> Sercurity Policy", "MMC-->Group policy" and "MMC-->Security Configuration
> >> and
> >> Analysis", but the effective setting is still = 0
> >>
> >> How to set account lockout threshold to 5 in MServer2?
>
>
>
- Next message: Adepenguin: "Re: Remote Desktop Connection"
- Previous message: Mike: "Re: Expiring AntiSpyware"
- In reply to: Roger Abell [MVP]: "Re: Account Lockout threshold"
- Next in thread: Roger Abell [MVP]: "Re: Account Lockout threshold"
- Reply: Roger Abell [MVP]: "Re: Account Lockout threshold"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
